- autoyast2
-
- Rebuild the RPM database during upgrade (--rebuilddb) (bsc#1209565)
- 4.3.106
- Properly install the selected products, do not lose them after
resetting the package manager internally (bsc#1202234)
- 4.3.105
- bind
-
- Security Fix:
* The overmem cleaning process has been improved, to prevent the
cache from significantly exceeding the configured
max-cache-size limit.
[bsc#1212544, CVE-2023-2828, bind-CVE-2023-2828.patch]
- binutils
-
- Add binutils-disable-dt-relr.sh for an compatibility problem
caused by binutils-revert-rela.diff in SLE codestreams.
Needed for update of glibc as that would otherwise pick up
the broken relative relocs support. [bsc#1213282, PED-1435]
- blog
-
- Add patch blog.dif
* Fix big endian cast problems to be able to read commands
and ansers (blogctl) as well as passphrases (blogd)
- ca-certificates-mozilla
-
- Updated to 2.62 state of Mozilla SSL root CAs (bsc#1214248)
Added:
- Atos TrustedRoot Root CA ECC G2 2020
- Atos TrustedRoot Root CA ECC TLS 2021
- Atos TrustedRoot Root CA RSA G2 2020
- Atos TrustedRoot Root CA RSA TLS 2021
- BJCA Global Root CA1
- BJCA Global Root CA2
- LAWtrust Root CA2 (4096)
- Sectigo Public Email Protection Root E46
- Sectigo Public Email Protection Root R46
- Sectigo Public Server Authentication Root E46
- Sectigo Public Server Authentication Root R46
- SSL.com Client ECC Root CA 2022
- SSL.com Client RSA Root CA 2022
- SSL.com TLS ECC Root CA 2022
- SSL.com TLS RSA Root CA 2022
Removed CAs:
- Chambers of Commerce Root
- E-Tugra Certification Authority
- E-Tugra Global Root CA ECC v3
- E-Tugra Global Root CA RSA v3
- Hongkong Post Root CA 1
- cloud-init
-
- Update cloud-init-write-routes.patch (bsc#1212879)
+ Add necessary import statement
- Enable flake8 linting, fix up patches
+ cloud-init-cve-2023-1786-redact-instance-data-json-main.patch
+ cloud-init-power-rhel-only.patch
+ cloud-init-write-routes.patch
+ datasourceLocalDisk.patch
- Add cloud-init-power-rhel-only.patch (bsc#1210273)
+ Config module cc_refresh_rmc_and_interface is implemented such that
it will only work on RH distros. Set the module availability accordingly.
- Sensitive data exposure (bsc#1210277, CVE-2023-1786)
+ Add hidesensitivedata
+ Add cloud-init-cve-2023-1786-redact-inst-data.patch
+ Do not expose sensitive data gathered from the CSP
- Update to version 23.1
+ Remove patches included upstream:
- cloud-init-btrfs-queue-resize.patch
- cloud-init-micro-is-suse.patch
- cloud-init-suse-afternm.patch
- cloud-init-prefer-nm.patch
- cloud-init-transact-up.patch
+ Forward port
- cloud-init-write-routes.patch
+ Added
- cloud-init-fix-ca-test.patch
+ Support transactional-updates for SUSE based distros (#1997)
[Robert Schweikert]
+ Set ownership for new folders in Write Files Module (#1980)
[Jack] (LP: #1990513)
+ add OpenCloudOS and TencentOS support (#1964) [wynnfeng]
+ lxd: Retry if the server isn't ready (#2025)
+ test: switch pycloudlib source to pypi (#2024)
+ test: Fix integration test deprecation message (#2023)
+ Recognize opensuse-microos, dev tooling fixes [Robert Schweikert]
+ sources/azure: refactor imds handler into own module (#1977)
[Chris Patterson]
+ docs: deprecation generation support [1/2] (#2013)
+ add function is_virtual to distro/FreeBSD (#1957) [Mina Galić]
+ cc_ssh: support multiple hostcertificates (#2018) (LP: #1999164)
+ Fix minor schema validation regression and fixup typing (#2017)
+ doc: Reword user data debug section (#2019)
+ Overhaul/rewrite of certificate handling as follows: (#1962)
[dermotbradley] (LP: #1931174)
+ disk_setup: use byte string when purging the partition table (#2012)
[Stefan Prietl]
+ cli: schema also validate vendordata*.
+ ci: sort and add checks for cla signers file [Stefan Prietl]
+ Add "ederst" as contributor (#2010) [Stefan Prietl]
+ readme: add reference to packages dir (#2001)
+ docs: update downstream package list (#2002)
+ docs: add google search verification (#2000) [s-makin]
+ docs: fix 404 render use default notfound_urls_prefix in RTD conf (#2004)
+ Fix OpenStack datasource detection on bare metal (#1923)
[Alexander Birkner] (LP: #1815990)
+ docs: add themed RTD 404 page and pointer to readthedocs-hosted (#1993)
+ schema: fix gpt labels, use type string for GUID (#1995)
+ cc_disk_setup: code cleanup (#1996)
+ netplan: keep custom strict perms when 50-cloud-init.yaml exists
+ cloud-id: better handling of change in datasource files
[d1r3ct0r] (LP: #1998998)
+ tests: Remove restart check from test
+ Ignore duplicate macs from mscc_felix and fsl_enetc (LP: #1997922)
+ Warn on empty network key (#1990)
+ Fix Vultr cloud_interfaces usage (#1986) [eb3095]
+ cc_puppet: Update puppet service name (#1970) [d1r3ct0r] (LP: #2002969)
+ docs: Clarify networking docs (#1987)
+ lint: remove httpretty (#1985) [sxt1001]
+ cc_set_passwords: Prevent traceback when restarting ssh (#1981)
+ tests: fix lp1912844 (#1978)
+ tests: Skip ansible test on bionic (#1984)
+ Wait for NetworkManager (#1983) [Robert Schweikert]
+ docs: minor polishing (#1979) [s-makin]
+ CI: migrate integration-test to GH actions (#1969)
+ Fix permission of SSH host keys (#1971) [Ron Gebauer]
+ Fix default route rendering on v2 ipv6 (#1973) (LP: #2003562)
+ doc: fix path in net_convert command (#1975)
+ docs: update net_convert docs (#1974)
+ doc: fix dead link
+ cc_set_hostname: ignore /var/lib/cloud/data/set-hostname if it's empty
(#1967) [Emanuele Giuseppe Esposito]
+ distros/rhel.py: _read_hostname() missing strip on "hostname" (#1941)
[Mark Mielke]
+ integration tests: add IBM VPC support (SC-1352) (#1915)
+ machine-id: set to uninitialized to trigger regeneration on clones
(LP: #1999680)
+ sources/azure: retry on connection error when fetching metdata (#1968)
[Chris Patterson]
+ Ensure ssh state accurately obtained (#1966)
+ bddeb: drop dh-systemd dependency on newer deb-based releases [d1r3ct0r]
+ doc: fix `config formats` link in cloudsigma.rst (#1960)
+ Fix wrong subp syntax in cc_set_passwords.py (#1961)
+ docs: update the PR template link to readthedocs (#1958) [d1r3ct0r]
+ ci: switch unittests to gh actions (#1956)
+ Add mount_default_fields for PhotonOS. (#1952) [Shreenidhi Shedi]
+ sources/azure: minor refactor for metadata source detection logic
(#1936) [Chris Patterson]
+ add "CalvoM" as contributor (#1955) [d1r3ct0r]
+ ci: doc to gh actions (#1951)
+ lxd: handle 404 from missing devices route for LXD 4.0 (LP: #2001737)
+ docs: Diataxis overhaul (#1933) [s-makin]
+ vultr: Fix issue regarding cache and region codes (#1938) [eb3095]
+ cc_set_passwords: Move ssh status checking later (SC-1368) (#1909)
(LP: #1998526)
+ Improve Wireguard module idempotency (#1940) [Fabian Lichtenegger-Lukas]
+ network/netplan: add gateways as on-link when necessary (#1931)
[Louis Sautier] (LP: #2000596)
+ tests: test_lxd assert features.networks.zones when present (#1939)
+ Use btrfs enquque when available (#1926) [Robert Schweikert]
+ sources/azure: drop description for report_failure_to_fabric() (#1934)
[Chris Patterson]
+ cc_disk_setup.py: fix MBR single partition creation (#1932)
[dermotbradley] (LP: #1851438)
+ Fix typo with package_update/package_upgrade (#1927) [eb3095]
+ sources/azure: fix device driver matching for net config (#1914)
[Chris Patterson]
+ BSD: fix duplicate macs in Ifconfig parser (#1917) [Mina Galić]
+ test: mock dns calls (#1922)
+ pycloudlib: add lunar support for integration tests (#1928)
+ nocloud: add support for dmi variable expansion for seedfrom URL
(LP: #1994980)
+ tools: read-version drop extra call to git describe --long
+ doc: improve cc_write_files doc (#1916)
+ read-version: When insufficient tags, use cloudinit.version.get_version
+ mounts: document weird prefix in schema (#1913)
+ add utility function test cases (#1910) [sxt1001]
+ test: mock file deletion in dhcp tests (#1911)
+ Ensure network ready before cloud-init service runs on RHEL (#1893)
(LP: #1998655)
+ docs: add copy button to code blocks (#1890) [s-makin]
+ netplan: define features.NETPLAN_CONFIG_ROOT_READ_ONLY flag
+ azure: fix support for systems without az command installed (#1908)
+ Networking Clarification (#1892)
+ Fix the distro.osfamily output problem in the openEuler system. (#1895)
[sxt1001] (LP: #1999042)
+ pycloudlib: bump commit dropping azure api smoke test
+ net: netplan config root read-only as wifi config can contain creds
+ autoinstall: clarify docs for users
+ sources/azure: encode health report as utf-8 (#1897) [Chris Patterson]
+ Add back gateway4/6 deprecation to docs (#1898)
+ networkd: Add support for multiple [Route] sections (#1868)
[Nigel Kukard]
+ doc: add qemu tutorial (#1863)
+ lint: fix tip-flake8 and tip-mypy (#1896)
+ Add support for setting uid when creating users on FreeBSD (#1888)
[einsibjarni]
+ Fix exception in BSD networking code-path (#1894) [Mina Galić]
+ Append derivatives to is_rhel list in cloud.cfg.tmpl (#1887) [Louis Abel]
+ FreeBSD init: use cloudinit_enable as only rcvar (#1875) [Mina Galić]
+ feat: add support aliyun metadata security harden mode (#1865)
[Manasseh Zhou]
+ docs: uprate analyze to performance page [s-makin]
+ test: fix lxd preseed managed network config (#1881)
+ Add support for static IPv6 addresses for FreeBSD (#1839) [einsibjarni]
+ Make 3.12 failures not fail the build (#1873)
+ Docs: adding relative links [s-makin]
+ Update read-version
+ Fix setup.py to align with PEP 440 versioning replacing trailing
+ travis: promote 3.11-dev to 3.11 (#1866)
+ test_cloud_sigma: delete useless test (#1828) [sxt1001]
+ Add "nkukard" as contributor (#1864) [Nigel Kukard]
+ tests: ds-id mocks for vmware-rpctool as utility may not exist in env
+ doc: add how to render new module doc (#1855)
+ doc: improve module creation explanation (#1851)
+ Add Support for IPv6 metadata to OpenStack (#1805)
[Marvin Vogt] (LP: #1906849)
+ add xiaoge1001 to .github-cla-signers (#1854) [sxt1001]
+ network: Deprecate gateway{4,6} keys in network config v2 (#1794)
(LP: #1992512)
+ VMware: Move Guest Customization transport from OVF to VMware (#1573)
[PengpengSun]
+ doc: home page links added (#1852) [s-makin]
From 22.4.2
+ status: handle ds not defined in status.json (#1876) (LP: #1997559)
From 22.4.1
+ net: skip duplicate mac check for netvsc nic and its VF (#1853)
[Anh Vo] (LP: #1844191)
+ ChangeLog: whitespace cleanup (#1850)
+ changelog: capture 22.3.1-4 releases
- Add cloud-init-transact-up.patch to support transactional-updates
- Add cloud-init-prefer-nm.patch
+ Prefer NetworkManager of sysconfig when available
- Update to version 22.4
+ Remove patches included upstream:
- cloud-init-vmware-test.patch
- cloud-init-sysctl-not-in-bin.patch
+ Forward port:
- cloud-init-write-routes.patch
- cloud-init-break-resolv-symlink.patch
- cloud-init-sysconf-path.patch
- cloud-init-no-tempnet-oci.patch
+ Add cloud-init-btrfs-queue-resize.patch (bsc#1171511)
+ Add cloud-init-micro-is-suse.patch (bsc#1203393) [Martin Petersen]
+ Add cloud-init-suse-afternm.patch
+ test: fix pro integration test [Alberto Contreras]
+ cc_disk_setup: pass options in correct order to utils (#1829)
[dermotbradley]
+ tests: text_lxd basic_preseed verify_clean_log (#1826)
+ docs: switch sphinx theme to furo (SC-1327) (#1821) [Alberto Contreras]
+ tests: activate Ubuntu Pro tests (only on Jenkins) (#1777)
[Alberto Contreras]
+ tests: test_lxd assert features.storage.buckets when present (#1827)
+ tests: replace missed ansible install-method with underscore (#1825)
+ tests: replace ansible install-method with underscore
+ ansible: standardize schema keys
+ ci: run json tool on 22.04 rather than 20.04 (#1823)
+ Stop using devices endpoint for LXD network config (#1819)
+ apport: address new curtin log and config locations (#1812)
+ cc_grub: reword docs for clarity (#1818)
+ tests: Fix preseed test (#1820)
+ Auto-format schema (#1810)
+ Ansible Control Module (#1778)
+ Fix last reported event possibly not being sent (#1796) (LP: #1993836)
+ tests: Ignore unsupported lxd project keys (#1817) [Alberto Contreras]
+ udevadm settle should handle non-udev system gracefully (#1806)
[dermotbradley]
+ add mariner support (#1780) [Minghe Ren]
+ Net: add BSD ifconfig(8) parser and state class (#1779) [Mina Galić]
+ adding itjamie to .github-cla-signers [Jamie (Bear) Murphy]
+ Fix inconsistency between comment and statement (#1809) [Guillaume Gay]
+ Update .github-cla-signers (#1811) [Guillaume Gay]
+ alpine.py: Add Alpine-specific manage_service function and update tests
(#1804) [dermotbradley]
+ test: add 3.12-dev to Travis CI (#1798) [Alberto Contreras]
+ add NWCS datasource (#1793) [shell-skrimp]
+ Adding myself as CLA signer (#1799) [s-makin]
+ apport: fix some data collection failures due to symlinks (#1797)
[Dan Bungert]
+ read-version: Make it compatible with bionic (#1795) [Alberto Contreras]
+ lxd: add support for lxd preseed config(#1789)
+ Enable hotplug for LXD datasource (#1787)
+ cli: collect logs and apport subiquity support
+ add support for Container-Optimized OS (#1748) [vteratipally]
+ test: temporarily disable failing integration test (#1792)
+ Fix LXD/nocloud detection on lxd vm tests (#1791)
+ util: Implement __str__ and __iter__ for Version (#1790)
+ cc_ua: consume ua json api for enable commands [Alberto Contreras]
+ Add clarity to cc_final_message docs (#1788)
+ cc_ntp: add support for BSDs (#1759) [Mina Galić] (LP: #1990041)
+ make Makefile make agnostic (#1786) [Mina Galić]
+ Remove hardcoding and unnecessary overrides in Makefile (#1783)
[Joseph Mingrone]
+ Add my username (Jehops) to .github-cla-signers (#1784) [Joseph Mingrone]
+ Temporarily remove broken test (#1781)
+ Create reference documentation for base config
+ cc_ansible: add support for galaxy install (#1736)
+ distros/manage_services: add support to disable service (#1772)
[Mina Galić] (LP: #1991024)
+ OpenBSD: remove pkg_cmd_environ function (#1773)
[Mina Galić] (LP: 1991567)
+ docs: Correct typo in the FAQ (#1774) [Maximilian Wörner]
+ tests: Use LXD metadata to determine NoCloud status (#1776)
+ analyze: use init-local as start of boot record (#1767) [Chris Patterson]
+ docs: use opensuse for distro name in package doc (#1771)
+ doc: clarify packages as dev only (#1769) [Alberto Contreras]
+ Distro manage service: Improve BSD support (#1758)
[Mina Galić] (LP: #1990070)
+ testing: check logs for critical errors (#1765) [Chris Patterson]
+ cc_ubuntu_advantage: Handle already attached on Pro [Alberto Contreras]
+ doc: Add configuration explanation (SC-1169)
+ Fix Oracle DS primary interface when using IMDS (#1757) (LP: #1989686)
+ style: prefer absolute imports over relative imports [Mina Galić]
+ tests: Fix ip log during instance destruction (#1755) [Alberto Contreras]
+ cc_ubuntu_advantage: add ua_config in auto-attach [Alberto Contreras]
+ apt configure: sources write/append mode (#1738)
[Fabian Lichtenegger-Lukas]
+ networkd: Add test and improve typing. (#1747) [Alberto Contreras]
+ pycloudlib: bump commit for gce cpu architecture support (#1750)
+ commit ffcb29bc8315d1e1d6244eeb1cbd8095958f7bad (LP: #1307667)
+ testing: workaround LXD vendor data (#1740)
+ support dhcp{4,6}-overrides in networkd renderer (#1710) [Aidan Obley]
+ tests: Drop httpretty in favor of responses (#1720) [Alberto Contreras]
+ cc_ubuntu_advantage: Implement custom auto-attach behaviors (#1583)
[Alberto Contreras]
+ Fix Oracle DS not setting subnet when using IMDS (#1735) (LP: #1989686)
+ testing: focal lxd datasource discovery (#1734)
+ cc_ubuntu_advantage: Redact token from logs (#1726) [Alberto Contreras]
+ docs: make sure echo properly evaluates the string (#1733) [Mina Galić]
+ net: set dhclient lease and pid files (#1715)
+ cli: status machine-readable output --format yaml/json (#1663)
(LP: #1883122)
+ tests: Simplify does_not_raise (#1731) [Alberto Contreras]
+ Refactor: Drop inheritance from object (#1728) [Alberto Contreras]
+ testing: LXD datasource now supported on Focal (#1732)
+ Allow jinja templating in /etc/cloud (SC-1170) (#1722) (LP: #1913461)
+ sources/azure: ensure instance id is always correct (#1727)
[Chris Patterson]
+ azure: define new attribute for pre-22.3 pickles (#1725)
+ doc: main page Diátaxis rewording (SC-967) (#1701)
+ ubuntu advantage: improved idempotency, enable list is now strict
+ [Fabian Lichtenegger-Lukas]
+ test: bump pycloudlib (#1724) [Alberto Contreras]
+ cloud.cfg.tmpl: make sure "centos" settings are identical to "rhel"
(#1639) [Emanuele Giuseppe Esposito]
+ lxd: fetch 1.0/devices content (#1712) [Alberto Contreras]
+ Update docs according to ad8f406a (#1719)
+ testing: Port unittests/analyze to pytest (#1708) [Alberto Contreras]
+ doc: Fix rtd builds. (#1718) [Alberto Contreras]
+ testing: fully mock noexec calls (#1717) [Alberto Contreras]
+ typing: Add types to cc_<module>.handle (#1700) [Alberto Contreras]
+ Identify 3DS Outscale Datasource as Ec2 (#1686) [Maxime Dufour]
+ config: enable bootstrapping pip in ansible (#1707)
+ Fix cc_chef typing issue (#1716)
+ Refactor instance json files to use Paths (SC-1238) (#1709)
+ tools: read-version check GITHUB_REF and git branch --show-current
(#1677)
+ net: Ensure a tmp with exec permissions for dhcp (#1690)
[Alberto Contreras] (LP: #1962343)
+ testing: Fix test regression in test_combined (#1713) [Alberto Contreras]
+ Identify Huawei Cloud as OpenStack (#1689) [huang xinjie]
+ doc: add reporting suggestion to FAQ (SC-1236) (#1698)
From 22.3
+ sources: obj.pkl cache should be written anyime get_data is run (#1669)
+ schema: drop release number from version file (#1664)
+ pycloudlib: bump to quiet azure HTTP info logs (#1668)
+ test: fix wireguard integration tests (#1666)
+ Github is deprecating the 18.04 runner starting 12.1 (#1665)
+ integration tests: Ensure one setup for all tests (#1661)
+ tests: ansible test fixes (#1660)
+ Prevent concurrency issue in test_webhook_hander.py (#1658)
+ Workaround net_setup_link race with udev (#1655) (LP: #1983516)
+ test: drop erroneous lxd assertion, verify command succeeded (#1657)
+ Fix Chrony usage on Centos Stream (#1648) [Sven Haardiek] (LP: #1885952)
+ sources/azure: handle network unreachable errors for savable PPS (#1642)
[Chris Patterson]
+ Return cc_set_hostname to PER_INSTANCE frequency (#1651) (LP: #1983811)
+ test: Collect integration test time by default (#1638)
+ test: Drop forced package install hack in lxd integration test (#1649)
+ schema: Resolve user-data if --system given (#1644)
[Alberto Contreras] (LP: #1983306)
+ test: use fake filesystem to avoid file removal (#1647)
[Alberto Contreras]
+ tox: Fix tip-flake8 and tip-mypy (#1635) [Alberto Contreras]
+ config: Add wireguard config module (#1570) [Fabian Lichtenegger-Lukas]
+ tests: can run without azure-cli, tests expect inactive ansible (#1643)
+ typing: Type UrlResponse.contents (#1633) [Alberto Contreras]
+ testing: fix references to `DEPRECATED.` (#1641) [Alberto Contreras]
+ ssh_util: Handle sshd_config.d folder [Alberto Contreras] (LP: #1968873)
+ schema: Enable deprecations in cc_update_etc_hosts (#1631)
[Alberto Contreras]
+ Add Ansible Config Module (#1579)
+ util: Support Idle process state in get_proc_ppid() (#1637)
+ schema: Enable deprecations in cc_growpart (#1628) [Alberto Contreras]
+ schema: Enable deprecations in cc_users_groups (#1627)
[Alberto Contreras]
+ util: Fix error path and parsing in get_proc_ppid()
+ main: avoid downloading full contents cmdline urls (#1606)
[Alberto Contreras] (LP: #1937319)
+ schema: Enable deprecations in cc_scripts_vendor (#1629)
[Alberto Contreras]
+ schema: Enable deprecations in cc_set_passwords (#1630)
[Alberto Contreras]
+ sources/azure: add experimental support for preprovisioned os disks
(#1622) [Chris Patterson]
+ Remove configobj a_to_u calls (#1632) [Stefano Rivera]
+ cc_debug: Drop this module (#1614) [Alberto Contreras]
+ schema: add aggregate descriptions in anyOf/oneOf (#1636)
+ testing: migrate test_sshutil to pytest (#1617) [Alberto Contreras]
+ testing: Fix test_ca_certs integration test (#1626) [Alberto Contreras]
+ testing: add support for pycloudlib's pro images (#1604)
[Alberto Contreras]
+ testing: migrate test_cc_set_passwords to pytest (#1615)
[Alberto Contreras]
+ network: add system_info network activator cloud.cfg overrides (#1619)
(LP: #1958377)
+ docs: Align git remotes with uss-tableflip setup (#1624)
[Alberto Contreras]
+ testing: cover active config module checks (#1609) [Alberto Contreras]
+ lxd: lvm avoid thinpool when kernel module absent
+ lxd: enable MTU configuration in cloud-init
+ doc: pin doc8 to last passing version
+ cc_set_passwords fixes (#1590)
+ Modernise importer.py and type ModuleDetails (#1605) [Alberto Contreras]
+ config: Def activate_by_schema_keys for t-z (#1613) [Alberto Contreras]
+ config: define activate_by_schema_keys for p-r mods (#1611)
[Alberto Contreras]
+ clean: add param to remove /etc/machine-id for golden image creation
+ config: define `activate_by_schema_keys` for a-f mods (#1608)
[Alberto Contreras]
+ config: define activate_by_schema_keys for s mods (#1612)
[Alberto Contreras]
+ sources/azure: reorganize tests for network config (#1586)
+ [Chris Patterson]
+ config: Define activate_by_schema_keys for g-n mods (#1610)
[Alberto Contreras]
+ meta-schema: add infra to skip inapplicable modules [Alberto Contreras]
+ sources/azure: don't set cfg["password"] for default user pw (#1592)
[Chris Patterson]
+ schema: activate grub-dpkg deprecations (#1600) [Alberto Contreras]
+ docs: clarify user password purposes (#1593)
+ cc_lxd: Add btrfs and lvm lxd storage options (SC-1026) (#1585)
+ archlinux: Fix distro naming[1] (#1601) [Kristian Klausen]
+ cc_ubuntu_autoinstall: support live-installer autoinstall config
+ clean: allow third party cleanup scripts in /etc/cloud/clean.d (#1581)
+ sources/azure: refactor chassis asset tag handling (#1574)
[Chris Patterson]
+ Add "netcho" as contributor (#1591) [Kaloyan Kotlarski]
+ testing: drop impish support (#1596) [Alberto Contreras]
+ black: fix missed formatting issue which landed in main (#1594)
+ bsd: Don't assume that root user is in root group (#1587)
+ docs: Fix comment typo regarding use of packages (#1582)
[Peter Mescalchin]
+ Update govc command in VMWare walkthrough (#1576) [manioo8]
+ Update .github-cla-signers (#1588) [Daniel Mullins]
+ Rename the openmandriva user to omv (#1575) [Bernhard Rosenkraenzer]
+ sources/azure: increase read-timeout to 60 seconds for wireserver
(#1571) [Chris Patterson]
+ Resource leak cleanup (#1556)
+ testing: remove appereances of FakeCloud (#1584) [Alberto Contreras]
+ Fix expire passwords for hashed passwords (#1577)
[Sadegh Hayeri] (LP: #1979065)
+ mounts: fix suggested_swapsize for > 64GB hosts (#1569) [Steven Stallion]
+ Update chpasswd schema to deprecate password parsing (#1517)
+ tox: Remove entries from default envlist (#1578) (LP: #1980854)
+ tests: add test for parsing static dns for existing devices (#1557)
[Jonas Konrad]
+ testing: port cc_ubuntu_advantage test to pytest (#1559)
[Alberto Contreras]
+ Schema deprecation handling (#1549) [Alberto Contreras]
+ Enable pytest to run in parallel (#1568)
+ sources/azure: refactor ovf-env.xml parsing (#1550) [Chris Patterson]
+ schema: Force stricter validation (#1547)
+ ubuntu advantage config: http_proxy, https_proxy (#1512)
[Fabian Lichtenegger-Lukas]
+ net: fix interface matching support (#1552) (LP: #1979877)
+ Fuzz testing jsonchema (#1499) [Alberto Contreras]
+ testing: Wait for changed boot-id in test_status.py (#1548)
+ CI: Fix GH pinned-format jobs (#1558) [Alberto Contreras]
+ Typo fix (#1560) [Jaime Hablutzel]
+ tests: mock dns lookup that causes long timeouts (#1555)
+ tox: add unpinned env for do_format and check_format (#1554)
+ cc_ssh_import_id: Substitute deprecated warn (#1553) [Alberto Contreras]
+ Remove schema errors from log (#1551) (LP: #1978422) (CVE-2022-2084)
+ Update WebHookHandler to run as background thread (SC-456) (#1491)
(LP: #1910552)
+ testing: Don't run custom cloud dir test on Bionic (#1542)
+ bash completion: update schema command (#1543) (LP: #1979547)
+ CI: add non-blocking run against the linters tip versions (#1531)
[Paride Legovini]
+ Change groups within the users schema to support lists and strings
(#1545) [RedKrieg]
+ make it clear which username should go in the contributing doc (#1546)
+ Pin setuptools for Travis (SC-1136) (#1540)
+ Fix LXD datasource crawl when BOOT enabled (#1537)
+ testing: Fix wrong path in dual stack test (#1538)
+ cloud-config: honor cloud_dir setting (#1523)
[Alberto Contreras] (LP: #1976564)
+ Add python3-debconf to pkg-deps.json Build-Depends (#1535)
[Alberto Contreras]
+ redhat spec: udev/rules.d lives under /usr/lib on rhel-based systems
(#1536)
+ tests/azure: add test coverage for DisableSshPasswordAuthentication
(#1534) [Chris Patterson]
+ summary: Add david-caro to the cla signers (#1527) [David Caro]
+ Add support for OpenMandriva (https://openmandriva.org/) (#1520)
[Bernhard Rosenkraenzer]
+ tests/azure: refactor ovf creation (#1533) [Chris Patterson]
+ Improve DataSourceOVF error reporting when script disabled (#1525) [rong]
+ tox: integration-tests-jenkins: softfail if only some test failed
(#1528) [Paride Legovini]
+ CI: drop linters from Travis CI (moved to GH Actions) (#1530)
[Paride Legovini]
+ sources/azure: remove unused encoding support for customdata (#1526)
[Chris Patterson]
+ sources/azure: remove unused metadata captured when parsing ovf (#1524)
[Chris Patterson]
+ sources/azure: remove dscfg parsing from ovf-env.xml (#1522)
[Chris Patterson]
+ Remove extra space from ec2 dual stack crawl message (#1521)
+ tests/azure: use namespaces in generated ovf-env.xml documents (#1519)
[Chris Patterson]
+ setup.py: adjust udev/rules default path (#1513)
[Emanuele Giuseppe Esposito]
+ Add python3-deconf dependency (#1506) [Alberto Contreras]
+ Change match macadress param for network v2 config (#1518)
[Henrique Caricatti Capozzi]
+ sources/azure: remove unused userdata property from ovf (#1516)
[Chris Patterson]
+ sources/azure: minor refactoring to network config generation (#1497)
[Chris Patterson]
+ net: Implement link-local ephemeral ipv6
+ Rename function to avoid confusion (#1501)
+ Fix cc_phone_home requiring 'tries' (#1500) (LP: #1977952)
+ datasources: replace networking functions with stdlib and cloudinit.net
+ code
+ Remove xenial references (#1472) [Alberto Contreras]
+ Oracle ds changes (#1474) [Alberto Contreras] (LP: #1967942)
+ improve runcmd docs (#1498)
+ add 3.11-dev to Travis CI (#1493)
+ Only run github actions on pull request (#1496)
+ Fix integration test client creation (#1494) [Alberto Contreras]
+ tox: add link checker environment, fix links (#1480)
+ cc_ubuntu_advantage: Fix doc (#1487) [Alberto Contreras]
+ cc_yum_add_repo: Fix repo id canonicalization (#1489)
[Alberto Contreras] (LP: #1975818)
+ Add linitio as contributor in the project (#1488) [Kevin Allioli]
+ net-convert: use yaml.dump for debugging python NetworkState obj (#1484)
(LP: #1975907)
+ test_schema: no relative $ref URLs, replace $ref with local path (#1486)
+ cc_set_hostname: do not write "localhost" when no hostname is given
+ (#1453) [Emanuele Giuseppe Esposito]
+ Update .github-cla-signers (#1478) [rong]
+ schema: write_files defaults, versions $ref full URL and add vscode
(#1479)
+ docs: fix external links, add one more to the list (#1477)
+ doc: Document how to change module frequency (#1481)
+ tests: bump pycloudlib (#1482)
+ tests: bump pycloudlib pinned commit for kinetic Azure (#1476)
+ testing: fix test_status.py (#1475)
+ integration tests: If KEEP_INSTANCE = True, log IP (#1473)
+ Drop mypy excluded files (#1454) [Alberto Contreras]
+ Docs additions (#1470)
+ Add "formatting tests" to Github Actions
+ Remove unused arguments in function signature (#1471)
+ Changelog: correct errant classification of LP issues as GH (#1464)
+ Use Network-Manager and Netplan as default renderers for RHEL and Fedora
(#1465) [Emanuele Giuseppe Esposito]
From 22.2
+ Fix test due to caplog incompatibility (#1461) [Alberto Contreras]
+ Align rhel custom files with upstream (#1431)
[Emanuele Giuseppe Esposito]
+ cc_write_files: Improve schema. (#1460) [Alberto Contreras]
+ cli: Redact files with permission errors in commands (#1440)
+ [Alberto Contreras] (LP: #1953430)
+ Improve cc_set_passwords. (#1456) [Alberto Contreras]
+ testing: make fake cloud-init wait actually wait (#1459)
+ Scaleway: Fix network configuration for netplan 0.102 and later (#1455)
[Maxime Corbin]
+ Fix 'ephmeral' typos in disk names(#1452) [Mike Hucka]
+ schema: version schema-cloud-config-v1.json (#1424)
+ cc_modules: set default meta frequency value when no config available
(#1457)
+ Log generic warning on non-systemd systems. (#1450) [Alberto Contreras]
+ cc_snap.maybe_install_squashfuse no longer needed in Bionic++. (#1448)
[Alberto Contreras]
+ Drop support of *-sk keys in cc_ssh (#1451) [Alberto Contreras]
+ testing: Fix console_log tests (#1437)
+ tests: cc_set_passoword update for systemd, non-systemd distros (#1449)
+ Fix bug in url_helper/dual_stack() logging (#1426)
+ schema: render schema paths from _CustomSafeLoaderWithMarks (#1391)
+ testing: Make integration tests kinetic friendly (#1441)
+ Handle error if SSH service no present. (#1422)
[Alberto Contreras] (LP: #1969526)
+ Fix network-manager activator availability and order (#1438)
+ sources/azure: remove reprovisioning marker (#1414) [Chris Patterson]
+ upstart: drop vestigial support for upstart (#1421)
+ testing: Ensure NoCloud detected in test (#1439)
+ Update .github-cla-signers kallioli [Kevin Allioli]
+ Consistently strip top-level network key (#1417) (LP: #1906187)
+ testing: Fix LXD VM metadata test (#1430)
+ testing: Add NoCloud setup for NoCloud test (#1425)
+ Update linters and adapt code for compatibility (#1434) [Paride Legovini]
+ run-container: add support for LXD VMs (#1428) [Paride Legovini]
+ integration-reqs: bump pycloudlib pinned commit (#1427) [Paride Legovini]
+ Fix NoCloud docs (#1423)
+ Docs fixes (#1406)
+ docs: Add docs for module creation (#1415)
+ Remove cheetah from templater (#1416)
+ tests: verify_ordered_items fallback to re.escape if needed (#1420)
+ Misc module cleanup (#1418)
+ docs: Fix doc warnings and enable errors (#1419)
[Alberto Contreras] (LP: #1876341)
+ Refactor cloudinit.sources.NetworkConfigSource to enum (#1413)
[Alberto Contreras] (LP: #1874875)
+ Don't fail if IB and Ethernet devices 'collide' (#1411)
+ Use cc_* module meta defintion over hardcoded vars (SC-888) (#1385)
+ Fix cc_rsyslog.py initialization (#1404) [Alberto Contreras]
+ Promote cloud-init schema from devel to top level subcommand (#1402)
+ mypy: disable missing imports warning for httpretty (#1412)
[Chris Patterson]
+ users: error when home should not be created AND ssh keys provided
[Jeffrey 'jf' Lim]
+ Allow growpart to resize encrypted partitions (#1316)
+ Fix typo in integration_test.rst (#1405) [Alberto Contreras]
+ cloudinit.net refactor: apply_network_config_names (#1388)
[Alberto Contreras] (LP: #1884602)
+ tests/azure: add fixtures for hardcoded paths (markers and data_dir)
(#1399) [Chris Patterson]
+ testing: Add responses workaround for focal/impish (#1403)
+ cc_ssh_import_id: fix is_key_in_nested_dict to avoid early False
+ Fix ds-identify not detecting NoCloud seed in config (#1381)
(LP: #1876375)
+ sources/azure: retry dhcp for failed processes (#1401) [Chris Patterson]
+ Move notes about refactorization out of CONTRIBUTING.rst (#1389)
+ Shave ~8ms off generator runtime (#1387)
+ Fix provisioning dhcp timeout to 20 minutes (#1394) [Chris Patterson]
+ schema: module example strict testing fix seed_random
+ cc_set_hostname: examples small typo (perserve vs preserve)
[Wouter Schoot]
+ sources/azure: refactor http_with_retries to remove **kwargs (#1392)
[Chris Patterson]
+ declare dependency on ssh-import-id (#1334)
+ drop references to old dependencies and old centos script
+ sources/azure: only wait for primary nic to be attached during restore
(#1378) [Anh Vo]
+ cc_ntp: migrated legacy schema to cloud-init-schema.json (#1384)
+ Network functions refactor and bugfixes (#1383)
+ schema: add JSON defs for modules cc_users_groups (#1379)
(LP: #1858930)
+ Fix doc typo (#1382) [Alberto Contreras]
+ Add support for dual stack IPv6/IPv4 IMDS to Ec2 (#1160)
+ Fix KeyError when rendering sysconfig IPv6 routes (#1380) (LP: #1958506)
+ Return a namedtuple from subp() (#1376)
+ Mypy stubs and other tox maintenance (SC-920) (#1374)
+ Distro Compatibility Fixes (#1375)
+ Pull in Gentoo patches (#1372)
+ schema: add json defs for modules U-Z (#1360)
(LP: #1858928, #1858929, #1858931, #1858932)
+ util: atomically update sym links to avoid Suppress FileNotFoundError
+ when reading status (#1298) [Adam Collard] (LP: #1962150)
+ schema: add json defs for modules scripts-timezone (SC-801) (#1365)
+ docs: Add first tutorial (SC-900) (#1368)
+ BUG 1473527: module ssh-authkey-fingerprints fails Input/output error…
(#1340) [Andrew Lee] (LP: #1473527)
+ add arch hosts template (#1371)
+ ds-identify: detect LXD for VMs launched from host with > 5.10 kernel
(#1370) (LP: #1968085)
+ Support EC2 tags in instance metadata (#1309) [Eduardo Dobay]
+ schema: add json defs for modules e-install (SC-651) (#1366)
+ Improve "(no_create_home|system): true" test (#1367) [Jeffrey 'jf' Lim]
+ Expose https_proxy env variable to ssh-import-id cmd (#1333)
[Michael Rommel]
+ sources/azure: remove bind/unbind logic for hot attached nic (#1332)
[Chris Patterson]
+ tox: add types-* packages to check_format env (#1362)
+ tests: python 3.10 is showing up in cloudimages (#1364)
+ testing: add additional mocks to test_net tests (#1356) [yangzz-97]
+ schema: add JSON schema for mcollective, migrator and mounts modules
(#1358)
+ Honor system locale for RHEL (#1355) [Wei Shi]
+ doc: Fix typo in cloud-config-run-cmds.txt example (#1359) [Ali Shirvani]
+ ds-identify: also discover LXD by presence from DMI board_name = LXD
(#1311)
+ black: bump pinned version to 22.3.0 to avoid click dependency issues
(#1357)
+ Various doc fixes (#1330)
+ testing: Add missing is_FreeBSD mock to networking test (#1353)
+ Add --no-update to add-apt-repostory call (SC-880) (#1337)
+ schema: add json defs for modules K-L (#1321)
(LP: #1858899, #1858900, #1858901, #1858902)
+ docs: Re-order readthedocs install (#1354)
+ Stop cc_ssh_authkey_fingerprints from ALWAYS creating home (#1343)
[Jeffrey 'jf' Lim]
+ docs: add jinja2 pin (#1352)
+ Vultr: Use find_candidate_nics, use ipv6 dns (#1344) [eb3095]
+ sources/azure: move get_ip_from_lease_value out of shim (#1324)
[Chris Patterson]
+ Fix cloud-init status --wait when no datasource found (#1349)
(LP: #1966085)
+ schema: add JSON defs for modules resize-salt (SC-654) (#1341)
+ Add myself as a future contributor (#1345) [Neal Gompa (ニール・ゴンパ)]
+ Update .github-cla-signers (#1342) [Jeffrey 'jf' Lim]
+ add Requires=cloud-init-hotplugd.socket in cloud-init-hotplugd.service
+ file (#1335) [yangzz-97]
+ Fix sysconfig render when set-name is missing (#1327)
[Andrew Kutz] (LP: #1855945)
+ Refactoring helper funcs out of NetworkState (#1336) [Andrew Kutz]
+ url_helper: add tuple support for readurl timeout (#1328)
[Chris Patterson]
+ Make fs labels match for ds-identify and docs (#1329)
+ Work around bug in LXD VM detection (#1325)
+ Remove redundant generator logs (#1318)
+ tox: set verbose flags for integration tests (#1323) [Chris Patterson]
+ net: introduce find_candidate_nics() (#1313) [Chris Patterson]
+ Revert "Ensure system_cfg read before ds net config on Oracle (#1174)"
(#1326)
+ Add vendor_data2 support for ConfigDrive source (#1307) [cvstealth]
+ Make VMWare data source test host independent and expand testing (#1308)
[Robert Schweikert]
+ Add json schemas for modules starting with P
+ sources/azure: remove lease file parsing (#1302) [Chris Patterson]
+ remove flaky test from ci (#1322)
+ ci: Switch to python 3.10 in Travis CI (#1320)
+ Better interface handling for Vultr, expect unexpected DHCP servers
(#1297) [eb3095]
+ Remove unused init local artifact (#1315)
+ Doc cleanups (#1317)
+ docs improvements (#1312)
+ add support for jinja do statements, add unit test (#1314)
[Paul Bruno] (LP: #1962759)
+ sources/azure: prevent tight loops for DHCP retries (#1285)
[Chris Patterson]
+ net/dhcp: surface type of DHCP lease failure to caller (#1276)
[Chris Patterson]
+ Stop hardcoding systemctl location (#1278) [Robert Schweikert]
+ Remove python2 syntax from docs (#1310)
+ [tools/migrate-lp-user-to-github] Rename master branch to main (#1301)
[Adam Collard]
+ redhat: Depend on "hostname" package (#1288) [Lubomir Rintel]
+ Add native NetworkManager support (#1224) [Lubomir Rintel]
+ Fix link in CLA check to point to contribution guide. (#1299)
[Adam Collard]
+ check for existing symlink while force creating symlink (#1281)
[Shreenidhi Shedi]
+ Do not silently ignore integer uid (#1280) (LP: #1875772)
+ tests: create a IPv4/IPv6 VPC in Ec2 integration tests (#1291)
+ Integration test fix ppa (#1296)
+ tests: on official EC2. cloud-id actually startswith aws not ec2 (#1289)
+ test_ppa_source: accept both http and https URLs (#1292)
[Paride Legovini]
+ Fix apt test on azure
+ add "lkundrak" as contributor [Lubomir Rintel]
+ Holmanb/integration test fix ppa (#1287)
+ Include missing subcommand in manpage (#1279)
+ Clean up artifacts from pytest, packaging, release with make clean
(#1277)
+ sources/azure: ensure retries on IMDS request failure (#1271)
[Chris Patterson]
+ sources/azure: removed unused savable PPS paths (#1268) [Chris Patterson]
+ integration tests: fix Azure failures (#1269)
From 22.1
+ sources/azure: report ready in local phase (#1265) [Chris Patterson]
+ sources/azure: validate IMDS network configuration metadata (#1257)
[Chris Patterson]
+ docs: Add more details to runcmd docs (#1266)
+ use PEP 589 syntax for TypeDict (#1253)
+ mypy: introduce type checking (#1254) [Chris Patterson]
+ Fix extra ipv6 issues, code reduction and simplification (#1243) [eb3095]
+ tests: when generating crypted password, generate in target env (#1252)
+ sources/azure: address mypy/pyright typing complaints (#1245)
[Chris Patterson]
+ Docs for x-shellscript* userdata (#1260)
+ test_apt_security: azure platform has specific security URL overrides
(#1263)
+ tests: lsblk --json output changes mountpoint key to mountpoinst []
(#1261)
+ mounts: fix mount opts string for ephemeral disk (#1250)
[Chris Patterson]
+ Shell script handlers by freq (#1166) [Chris Lalos]
+ minor improvements to documentation (#1259) [Mark Esler]
+ cloud-id: publish /run/cloud-init/cloud-id-<cloud-type> files (#1244)
+ add "eslerm" as contributor (#1258) [Mark Esler]
+ sources/azure: refactor ssh key handling (#1248) [Chris Patterson]
+ bump pycloudlib (#1256)
+ sources/hetzner: Use EphemeralDHCPv4 instead of static configuration
(#1251) [Markus Schade]
+ bump pycloudlib version (#1255)
+ Fix IPv6 netmask format for sysconfig (#1215) [Harald] (LP: #1959148)
+ sources/azure: drop debug print (#1249) [Chris Patterson]
+ tests: do not check instance.pull_file().ok() (#1246)
+ sources/azure: consolidate ephemeral DHCP configuration (#1229)
[Chris Patterson]
+ cc_salt_minion freebsd fix for rc.conf (#1236)
+ sources/azure: fix metadata check in _check_if_nic_is_primary() (#1232)
[Chris Patterson]
+ Add _netdev option to mount Azure ephemeral disk (#1213) [Eduardo Otubo]
+ testing: stop universally overwriting /etc/cloud/cloud.cfg.d (#1237)
+ Integration test changes (#1240)
+ Fix Gentoo Locales (#1205)
+ Add "slingamn" as contributor (#1235) [Shivaram Lingamneni]
+ integration: do not LXD bind mount /etc/cloud/cloud.cfg.d (#1234)
+ Integration testing docs and refactor (#1231)
+ vultr: Return metadata immediately when found (#1233) [eb3095]
+ spell check docs with spellintian (#1223)
+ docs: include upstream python version info (#1230)
+ Schema a d (#1211)
+ Move LXD to end ds-identify DSLIST (#1228) (LP: #1959118)
+ fix parallel tox execution (#1214)
+ sources/azure: refactor _report_ready_if_needed and _poll_imds (#1222)
[Chris Patterson]
+ Do not support setting up archive.canonical.com as a source (#1219)
[Steve Langasek] (LP: #1959343)
+ Vultr: Fix lo being used for DHCP, try next on cmd fail (#1208) [eb3095]
+ sources/azure: refactor _should_reprovision[_after_nic_attach]() logic
(#1206) [Chris Patterson]
+ update ssh logs to show ssh private key gens pub and simplify code
(#1221) [Steve Weber]
+ Remove mitechie from stale PR github action (#1217)
+ Include POST format in cc_phone_home docs (#1218) (LP: #1959149)
+ Add json parsing of ip addr show (SC-723) (#1210)
+ cc_rsyslog: fix typo in docstring (#1207) [Louis Sautier]
+ Update .github-cla-signers (#1204) [Chris Lalos]
+ sources/azure: drop unused case in _report_failure() (#1200)
[Chris Patterson]
+ sources/azure: always initialize _ephemeral_dhcp_ctx on unpickle (#1199)
[Chris Patterson]
+ Add support for gentoo templates and cloud.cfg (#1179) [vteratipally]
+ sources/azure: unpack ret tuple in crawl_metadata() (#1194)
[Chris Patterson]
+ tests: focal caplog has whitespace indentation for multi-line logs
(#1201)
+ Seek interfaces, skip dummy interface, fix region codes (#1192) [eb3095]
+ integration: test against the Ubuntu daily images (#1198)
[Paride Legovini]
+ cmd: status and cloud-id avoid change in behavior for 'not run' (#1197)
+ tox: pass PYCLOUDLIB_* env vars into integration tests when present
(#1196)
+ sources/azure: set ovf_is_accessible when OVF is read successfully
(#1193) [Chris Patterson]
+ Enable OVF environment transport via ISO in example (#1195) [Megian]
+ sources/azure: consolidate DHCP variants to EphemeralDHCPv4WithReporting
(#1190) [Chris Patterson]
+ Single JSON schema validation in early boot (#1175)
+ Add DatasourceOVF network-config propery to Ubuntu OVF example (#1184)
[Megian]
+ testing: support pycloudlib config file (#1189)
+ Ensure system_cfg read before ds net config on Oracle (SC-720) (#1174)
(LP: #1956788)
+ Test Optimization Proposal (SC-736) (#1188)
+ cli: cloud-id report not-run or disabled state as cloud-id (#1162)
+ Remove distutils usage (#1177) [Shreenidhi Shedi]
+ add .python-version to gitignore (#1186)
+ print error if datasource import fails (#1170)
[Emanuele Giuseppe Esposito]
+ Add new config module to set keyboard layout (#1176)
[maxnet] (LP: #1951593)
+ sources/azure: rename metadata_type -> MetadataType (#1181)
[Chris Patterson]
+ Remove 3.5 and xenial support (SC-711) (#1167)
+ tests: mock LXD datasource detection in ds-identify on LXD containers
(#1178)
+ pylint: silence errors on compat code for old jsonschema (#1172)
[Paride Legovini]
+ testing: Add 3.10 Test Coverage (#1173)
+ Remove unittests from integration test job in travis (#1141)
+ Don't throw exceptions for empty cloud config (#1130)
+ bsd/resolv.d/ avoid duplicated entries (#1163) [Gonéri Le Bouder]
+ sources/azure: do not persist failed_desired_api_version flag (#1159)
[Chris Patterson]
+ Update cc_ubuntu_advantage calls to assume-yes (#1158)
[John Chittum] (LP: #1954842)
+ openbsd: properly restart the network on 7.0 (#1150) [Gonéri Le Bouder]
+ Add .git-blame-ignore-revs (#1161)
+ Adopt Black and isort (SC-700) (#1157)
+ Include dpkg frontend lock in APT_LOCK_FILES (#1153)
+ tests/cmd/query: fix test run as root and add coverage for defaults
(#1156) [Chris Patterson] (LP: #1825027)
+ Schema processing changes (SC-676) (#1144)
+ Add dependency workaround for impish in bddeb (#1148)
+ netbsd: install new dep packages (#1151) [Gonéri Le Bouder]
+ find_devs_with_openbsd: ensure we return the last entry (#1149)
[Gonéri Le Bouder]
+ sources/azure: remove unnecessary hostname bounce (#1143)
[Chris Patterson]
+ find_devs/openbsd: accept ISO on disk (#1132)
[Gonéri Le Bouder]
+ Improve error log message when mount failed (#1140) [Ksenija Stanojevic]
+ add KsenijaS as a contributor (#1145) [Ksenija Stanojevic]
+ travis - don't run integration tests if no deb (#1139)
+ factor out function for getting top level directory of cloudinit (#1136)
+ testing: Add deterministic test id (#1138)
+ mock sleep() in azure test (#1137)
+ Add miraclelinux support (#1128) [Haruki TSURUMOTO]
+ docs: Make MACs lowercase in network config (#1135) (LP: #1876941)
+ Add Strict Metaschema Validation (#1101)
+ update dead link (#1133)
+ cloudinit/net: handle two different routes for the same ip (#1124)
[Emanuele Giuseppe Esposito]
+ docs: pin mistune dependency (#1134)
+ Reorganize unit test locations under tests/unittests (#1126)
+ Fix exception when no activator found (#1129) (LP: #1948681)
+ jinja: provide and document jinja-safe key aliases in instance-data
(SC-622) (#1123)
+ testing: Remove date from final_message test (SC-638) (#1127)
+ Move GCE metadata fetch to init-local (SC-502) (#1122)
+ Fix missing metadata routes for vultr (#1125) [eb3095]
+ cc_ssh_authkey_fingerprints.py: prevent duplicate messages on console
(#1081) [dermotbradley]
+ sources/azure: remove unused remnants related to agent command (#1119)
[Chris Patterson]
+ github: update PR template's contributing URL (#1120) [Chris Patterson]
+ docs: Rename HACKING.rst to CONTRIBUTING.rst (#1118)
+ testing: monkeypatch system_info call in unit tests (SC-533) (#1117)
+ Fix Vultr timeout and wait values (#1113) [eb3095]
+ lxd: add preference for LXD cloud-init.* config keys over user keys
(#1108)
+ VMware: source /etc/network/interfaces.d/* on Debian
[chengcheng-chcheng] (LP: #1950136)
+ Add cjp256 as contributor (#1109) [Chris Patterson]
+ integration_tests: Ensure log directory exists before symlinking to it
(#1110)
+ testing: add growpart integration test (#1104)
+ integration_test: Speed up CI run time (#1111)
+ Some miscellaneous integration test fixes (SC-606) (#1103)
+ tests: specialize lxd_discovery test for lxd_vm vendordata (#1106)
+ Add convenience symlink to integration test output (#1105)
+ Fix for set-name bug in networkd renderer (#1100)
[Andrew Kutz] (LP: #1949407)
+ Wait for apt lock (#1034) (LP: #1944611)
+ testing: stop chef test from running on openstack (#1102)
+ alpine.py: add options to the apk upgrade command (#1089) [dermotbradley]
- cloud-netconfig
-
- Update to version 1.8:
+ Fix Azure metadata check (bsc#1214715)
+ Fix cleanup on ifdown
- containerd
-
- Update to containerd v1.6.21 for Docker v23.0.6-ce. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.6.21> bsc#1211578
- Require a minimum Go version explicitly rather than using golang(API).
Fixes the change for bsc#1210298.
[ This was only released in SLE. ]
- gcc7
-
- Add gcc7-aarch64-bsc1214052.patch to fix -fstack-protector issues
with variable length stack allocations on aarch64.
Fixes CVE-2023-4039. [bsc#1214052]
- Add gcc7-aarch64-untyped_call.patch to fix issue with __builtin_apply
- Add gcc7-lra-elim.patch to fix internal compiler error when forming
paired loads and stores on aarch64.
- Disable multilib and go on riscv64
- libgcc-riscv-div.patch: Backport of r12-5799-g45116f342057b7 to fix
build with current binutils
- Backport _multibuild auto-generation. Remove redundant
.changes files.
- Add _multibuild to define 2nd spec file as additional flavor.
Eliminates the need for source package links in OBS.
- Add gcc7-pr89124.patch to fix KASAN kernel compile. [bsc#1205145]
- Add gcc7-pr72764.patch to fix ICE with C++17 code as reported
in [bsc#1204505]
- Add gcc7-libsanitizer-cherry-pick-9cf13067cb5088626ba7-from-u.patch
and gcc7-libgo-don-t-include-linux-fs.h-when-building-gen-sys.patch
in order to support glibc 2.36.
- Enable format_spec_file otherwise one gets huge diff after
running change_spec.
- Remove fixed sys/mount.h.
- Add patch from upstream to fix altivec.h redefining bool in C++
which makes bool unusable (boo#1195517):
* gcc7-pr78263.patch
- Add gcc7-ada-Target_Name.patch to adjust gnats idea of the
target, fixing the build of gprbuild. [bsc#1196861]
- Remove include-fixed/sys/rseq.h to fix build on openSUSE:Factory.
- Avoid duplicate license in cross packages.
- cups
-
- cups-2.2.7-CVE-2023-4504.patch fixes CVE-2023-4504
"CUPS PostScript Parsing Heap Overflow"
https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h
bsc#1215204
- cups-2.2.7-CVE-2023-32360.patch fixes CVE-2023-32360
"Information leak through Cups-Get-Document operation"
by requiring authentication for CUPS-Get-Document in cupsd.conf
https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913
https://github.com/OpenPrinting/cups/security/advisories/GHSA-7pv4-hx8c-gr4g
bsc#1214254
- cups-2.2.7-additional_policies.patch is an updated version
of cups-2.0.3-additional_policies.patch that replaces it
to add the 'allowallforanybody' policy to cupsd.conf
after cups-2.2.7-CVE-2023-32360.patch was applied
- cups-2.2.7-CVE-2023-34241.patch fixes CVE-2023-34241
"use-after-free in cupsdAcceptClient()"
https://github.com/OpenPrinting/cups/security/advisories/GHSA-qjgh-5hcq-5f25
bsc#1212230
- dbus-1
-
- Sometimes unprivileged users were able to crash dbus-daemon
(CVE-2023-34969, bsc#1212126)
* fix-upstream-CVE-2023-34969.patch
- lvm2
-
- blkdeactivate calls wrong mountpoint cmd (bsc#1214071)
+ bug-1214071-blkdeactivate_calls_wrong_mountpoint.patch
- docker
-
- update to Docker 24.0.5-ce. See upstream changelong online at
<https://docs.docker.com/engine/release-notes/24.0/#2405>. bsc#1213229
- Update to Docker 24.0.4-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/24.0/#2404>. bsc#1213500
- Update to Docker 24.0.3-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/24.0/#2403>. bsc#1213120
- Rebase patches:
* cli-0001-docs-include-required-tools-in-source-tree.patch
- Recommend docker-rootless-extras instead of Require(ing) it, given
it's an additional functionality and not inherently required for
docker to function.
- Add docker-rootless-extras subpackage
(https://docs.docker.com/engine/security/rootless)
- Update to Docker 24.0.2-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/24.0/#2402>. bsc#1212368
* Includes the upstreamed fix for the mount table pollution issue.
bsc#1210797
- Add Recommends for docker-buildx, and add /usr/lib/docker/cli-plugins as
being provided by this package.
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* cli-0001-docs-include-required-tools-in-source-tree.patch
- Update to Docker 23.0.6-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/23.0/#2306>. bsc#1211578
- Rebase patches:
* cli-0001-docs-include-required-tools-in-source-tree.patch
- Re-unify packaging for SLE-12 and SLE-15.
- Add patch to fix build on SLE-12 by switching back to libbtrfs-devel headers
(the uapi headers in SLE-12 are too old).
+ 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
- Re-numbered patches:
- 0003-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+ 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch`
- Update to Docker 23.0.5-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/23.0/#2305>.
- Rebase patches:
* cli-0001-docs-include-required-tools-in-source-tree.patch
- Update to Docker 23.0.4-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/23.0/#2304>. bsc#1208074
- Fixes:
* bsc#1214107 - CVE-2023-28840
* bsc#1214108 - CVE-2023-28841
* bsc#1214109 - CVE-2023-28842
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
- Renumbered patches:
- 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
- Remove upstreamed patches:
- 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
- 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch
- 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch
- Backport <https://github.com/docker/cli/pull/4228> to allow man pages to be
built without internet access in OBS.
+ cli-0001-docs-include-required-tools-in-source-tree.patch
- dracut
-
- Update to version 049.1+suse.255.g19bd61fd:
* fix(dracut.sh): exit if resolving executable dependencies fails (bsc#1214081)
- firewalld
-
- Fix firewalld does not longer understand IPv4 network masks
of type `255.255.255.0`
Added following patch (boo#1212974)
[+ 0004-fix_rich_source_address_with_netmask.patch]
- fonts-config
-
- get the homedir from getpwuid when no $ENV{"HOME"} set
- added patches
fix bsc#1210700
+ fonts-config-homedir-getpwuid.patch
- gawk
-
- format-tree-positional-arg.patch: Validate index into argument list
(CVE-2023-4156, bsc#1214025)
- glibc
-
- resolv-conf-lock.patch: resolv_conf: release lock on allocation failure
(bsc#1211828, BZ #30527)
- ulp-prologue-into-asm-functions.patch: Add support for livepatches
in ASM written functions (bsc#1211726)
- getlogin-no-loginuid.patch: getlogin_r: fix missing fallback if loginuid
is unset (bsc#1209229, BZ #30235)
- Exclude static archives from preparation for live patching (bnc#1208721)
- grub2
-
- grub2-once: Fix 'sh: terminal_output: command not found' error (bsc#1204563)
- hwdata
-
- update to 0.371:
* Update pci, usb and vendor ids
- update to 0.370:
* Update pci, usb and vendor ids
- update to 0.369:
* Update pci, usb and vendor ids
- hwinfo
-
- merge gh#openSUSE/hwinfo#132
- avoid linking problems with libsamba (bsc#1212756)
- 21.85
- merge gh#openSUSE/hwinfo#127
- create xen usb controller device if necessary (bsc#1204294)
- 21.84
- merge gh#openSUSE/hwinfo#115
- improve treatment of NVME devices (bsc#1200975)
- fix compiler warnings
- 21.83
- open-iscsi
-
- Branched SLE-15-SP3 from Factory. No longer in sync with
Tumbleweed.
- Backported upstream commit, which sets 'safe_logout' and
'startup' in iscsid.conf, to address bsc#1207157
- Updated year in SPEC file
- kernel-default
-
- Refresh patches.suse/powerpc-Move-DMA64_PROPNAME-define-to-a-header.patch.
- commit d263157
- x86/speculation: Mark all Skylake CPUs as vulnerable to GDS (git-fixes).
- commit a3ff58c
- drm/vmwgfx: Test shader type against SVGA3d_SHADERTYPE_MIN (bsc#1203517 CVE-2022-36402)
- commit 5b2dbae
- powerpc/rtas: remove ibm_suspend_me_token (bsc#1023051).
- commit 4f01e57
- Do not add and remove genksyms ifdefs
- Refresh patches.kabi/lockdown-kABI-workaround-for-lockdown_reason-changes.patch.
- Refresh patches.suse/lockdown-also-lock-down-previous-kgdb-use.patch.
- commit e497b88
- powerpc/rtas: move syscall filter setup into separate function
(bsc#1023051).
- commit a36442d
- x86/speculation: Add cpu_show_gds() prototype (git-fixes).
- commit 5d94fff
- x86: Move gds_ucode_mitigated() declaration to header (git-fixes).
- commit 5ab0096
- blacklist.conf: Blacklist redundant docu patch
- commit 1c6d737
- Sort recent hw security-related patches
Move them to the sorted section and adjust patches accordingly.
- Refresh patches.suse/kvm-add-gds_no-support-to-kvm.patch.
- Refresh
patches.suse/x86-speculation-add-force-option-to-gds-mitigation.patch.
- Refresh
patches.suse/x86-speculation-add-gather-data-sampling-mitigation.patch.
- Refresh
patches.suse/x86-speculation-add-kconfig-option-for-gds.patch.
- Refresh
patches.suse/x86-srso-add-a-speculative-ras-overflow-mitigation.patch.
- Refresh patches.suse/x86-srso-add-srso_no-support.patch.
- commit 5c87dd7
- Input: cyttsp4_core - change del_timer_sync() to
timer_shutdown_sync() (bsc#1213971 CVE-2023-4134).
- commit 3ffe891
- powerpc/rtas: block error injection when locked down
(bsc#1023051).
Refresh patches.kabi/lockdown-kABI-workaround-for-lockdown_reason-changes.patch
- commit 3bd253d
- powerpc/rtas: mandate RTAS syscall filtering (bsc#1023051).
- commit 3251f7a
- powerpc: Move DMA64_PROPNAME define to a header (bsc#1214297
ltc#197503).
- commit c36e5b8
- x86/CPU/AMD: Fix the DIV(0) initial fix attempt (bsc#1213927, CVE-2023-20588).
- commit 48fc5d8
- x86/CPU/AMD: Do not leak quotient data after a division by 0 (bsc#1213927, CVE-2023-20588).
- commit 5e5738e
- net: vmxnet3: fix possible NULL pointer dereference in
vmxnet3_rq_cleanup() (bsc#1214451 CVE-2023-4459).
- commit 1ac9015
- net: nfc: Fix use-after-free caused by nfc_llcp_find_local
(bsc#1213601 CVE-2023-3863).
- nfc: llcp: simplify llcp_sock_connect() error paths (bsc#1213601
CVE-2023-3863).
- nfc: llcp: nullify llcp_sock->dev on connect() error paths
(bsc#1213601 CVE-2023-3863).
- commit 9d4529d
- kabi/severities: Ignore newly added SRSO mitigation functions
- commit 95ed32f
- x86/srso: Correct the mitigation status when SMT is disabled (git-fixes).
- commit 309af7f
- x86/srso: Explain the untraining sequences a bit more (git-fixes).
- commit fa09ab7
- x86/cpu/kvm: Provide UNTRAIN_RET_VM (git-fixes).
- commit 5038558
- x86/cpu: Cleanup the untrain mess (git-fixes).
- commit eda7e6d
- x86/cpu: Rename srso_(.*)_alias to srso_alias_\1 (git-fixes).
- commit 6e5dea6
- xfrm: add NULL check in xfrm_update_ae_params (bsc#1213666
CVE-2023-3772).
- commit fdc40c6
- x86/cpu: Rename original retbleed methods (git-fixes).
- commit 554babe
- x86/srso: Disable the mitigation on unaffected configurations (git-fixes).
- commit a99796e
- x86/retpoline: Don't clobber RFLAGS during srso_safe_ret() (git-fixes).
- commit 2b91cd9
- Update config files. Drop the dpt_i2o kernel module.
For: jsc#PED-4579, CVE-2023-2007
- commit 6a43698
- fs: jfs: fix possible NULL pointer dereference in dbFree() (bsc#1214348 CVE-2023-4385).
- commit ee83171
- xfs: fix sb write verify for lazysbcount (bsc#1214275).
- commit 37c728c
- xfs: update superblock counters correctly for !lazysbcount
(bsc#1214275).
- commit 2b6e01d
- xfs: gut error handling in xfs_trans_unreserve_and_mod_sb()
(bsc#1214275).
- commit e55f7c6
- pseries/iommu/ddw: Fix kdump to work in absence of
ibm,dma-window (bsc#1214297 ltc#197503).
- commit ea499bc
- net: vmxnet3: fix possible use-after-free bugs in
vmxnet3_rq_alloc_rx_buf() (bsc#1214350 CVE-2023-4387).
- commit 0fa208f
- e1000: Remove unnecessary use of kmap_atomic() (jsc#PED-5738).
- commit dfa3fd7
- intel/e1000:fix repeated words in comments (jsc#PED-5738).
- commit e5d93d0
- e1000: Fix typos in comments (jsc#PED-5738).
- commit 64fd6bc
- e1000: switch to napi_consume_skb() (jsc#PED-5738).
- commit 1ad8d9c
- intel: remove checker warning (jsc#PED-5738).
- commit c3ad152
- net: e1000: remove repeated words for e1000_hw.c (jsc#PED-5738).
- commit ace3bf9
- net: e1000: remove repeated word "slot" for e1000_main.c
(jsc#PED-5738).
- commit cfd4849
- e1000: Fix fall-through warnings for Clang (jsc#PED-5738).
- commit 7817f78
- e1000: drop unneeded assignment in e1000_set_itr()
(jsc#PED-5738).
- commit d2ba4db
- io_uring: Acquire completion_lock around io_get_deferred_req
(bsc#1213272 CVE-2023-21400).
- commit 84db304
- md/raid0: Fix performance regression for large sequential writes
(bsc#1213916).
- md/raid0: Factor out helper for mapping and submitting a bio
(bsc#1213916).
- commit b0544bd
- media: usb: siano: Fix warning due to null work_func_t function
pointer (bsc#1213969 CVE-2023-4132).
- commit c44d7c3
- media: usb: siano: Fix use after free bugs caused by
do_submit_urb (bsc#1213969 CVE-2023-4132).
- commit a27f430
- net/sched: cls_route: No longer copy tcf_result on update to
avoid use-after-free (bsc#1214149 CVE-2023-4128).
- net/sched: cls_fw: No longer copy tcf_result on update to
avoid use-after-free (bsc#1214149 CVE-2023-4128).
- net/sched: cls_u32: No longer copy tcf_result on update to
avoid use-after-free (bsc#1214149 CVE-2023-4128).
- commit ea3bad4
- exfat: check if filename entries exceeds max filename length
(bsc#1214120 CVE-2023-4273).
- commit d8c4244
- series.conf: resort
- commit b2ee92a
- netfilter: nf_tables: disallow rule addition to bound chain
via NFTA_RULE_CHAIN_ID (CVE-2023-4147 bsc#1213968).
- commit 1258138
- cxgb4: fix use after free bugs caused by circular dependency
problem (bsc#1213970 CVE-2023-4133).
- timers: Provide timer_shutdown[_sync]() (bsc#1213970).
- timers: Add shutdown mechanism to the internal functions
(bsc#1213970).
- timers: Split [try_to_]del_timer[_sync]() to prepare for
shutdown mode (bsc#1213970).
- timers: Silently ignore timers with a NULL function
(bsc#1213970).
- timers: Rename del_timer() to timer_delete() (bsc#1213970).
- timers: Rename del_timer_sync() to timer_delete_sync()
(bsc#1213970).
- timers: Use del_timer_sync() even on UP (bsc#1213970).
- timers: Update kernel-doc for various functions (bsc#1213970).
- timers: Replace BUG_ON()s (bsc#1213970).
- clocksource/drivers/sp804: Do not use timer namespace for
timer_shutdown() function (bsc#1213970).
- clocksource/drivers/arm_arch_timer: Do not use timer namespace
for timer_shutdown() function (bsc#1213970).
- ARM: spear: Do not use timer namespace for timer_shutdown()
function (bsc#1213970).
- commit 6a1c404
- xen/netback: Fix buffer overrun triggered by unusual packet
(CVE-2023-34319, XSA-432, bsc#1213546).
- commit 3617080
- x86/srso: Tie SBPB bit setting to microcode patch detection (bsc#1213287, CVE-2023-20569).
- commit 3f35ab4
- net: tun_chr_open(): set sk_uid from current_fsuid()
(CVE-2023-4194 bsc#1214019).
- commit 25c979d
- net: tap_open(): set sk_uid from current_fsuid() (CVE-2023-4194
bsc#1214019).
- commit b03d1d8
- x86/microcode/AMD: Make stub function static inline
(bsc#1213868).
- Refresh patches.suse/x86-cpu-amd-add-a-zenbleed-fix.patch.
- commit f587833
- mm: Move mm_cachep initialization to mm_init() (bsc#1206418, CVE-2022-40982).
- commit 487512d
- bpf: add missing header file include (bsc#1211738
CVE-2023-0459).
- commit 0e6ab49
- locking/rwsem: Add __always_inline annotation to
__down_read_common() and inlined callers (bsc#1207270
jsc#PED-4567).
- commit 9e46337
- locking/rwsem: Disable preemption in all down_write*() and
up_write() code paths (bsc#1207270 jsc#PED-4567).
- commit e8b39d0
- locking/rwsem: Disable preemption in all down_read*() and
up_read() code paths (bsc#1207270 jsc#PED-4567).
- commit f20a53f
- locking/rwsem: Prevent non-first waiter from spinning in
down_write() slowpath (bsc#1207270 jsc#PED-4567).
- commit 9c40fdf
- locking/rwsem: Disable preemption while trying for rwsem lock
(bsc#1207270 jsc#PED-4567).
- commit d6741e8
- locking/rwsem: Allow slowpath writer to ignore handoff bit if
not set by first waiter (bsc#1207270 jsc#PED-4567).
- commit 22681e5
- locking/rwsem: Always try to wake waiters in out_nolock path
(bsc#1207270 jsc#PED-4567).
- commit 2dd13e8
- locking/rwsem: Conditionally wake waiters in reader/writer
slowpaths (bsc#1207270 jsc#PED-4567).
- commit c20a7d3
- locking/rwsem: No need to check for handoff bit if wait queue
empty (bsc#1207270 jsc#PED-4567).
- commit 7d6a2e9
- locking: Add missing __sched attributes (bsc#1207270
jsc#PED-4567).
- commit 0f7a2d1
- locking/rwsem: Optimize down_read_trylock() under highly
contended case (bsc#1207270 jsc#PED-4567).
- commit 46658e6
- locking/rwsem: Make handoff bit handling more consistent
(bsc#1207270 jsc#PED-4567).
- commit e47427d
- locking/rwsem: Fix comments about reader optimistic lock
stealing conditions (bsc#1207270 jsc#PED-4567).
- commit 4a0d7cf
- locking: Remove rcu_read_{,un}lock() for preempt_{dis,en}able()
(bsc#1207270 jsc#PED-4567).
- commit ee007db
- lockdep: Add preemption enabled/disabled assertion APIs
(bsc#1207270 jsc#PED-4567).
- commit 1386d93
- locking/rwsem: Disable preemption for spinning region
(bsc#1207270 jsc#PED-4567).
- commit 0fad749
- locking/rwsem: Remove an unused parameter of rwsem_wake()
(bsc#1207270 jsc#PED-4567).
- commit b255b46
- locking/rwsem: Fix comment typo (bsc#1207270 jsc#PED-4567).
- commit 0ac673a
- locking/rwsem: Remove reader optimistic spinning (bsc#1207270
jsc#PED-4567).
- commit 4b129c1
- locking/rwsem: Enable reader optimistic lock stealing
(bsc#1207270 jsc#PED-4567).
- commit 7c0e82a
- locking/rwsem: Prevent potential lock starvation (bsc#1207270
jsc#PED-4567).
- commit 00b076e
- locking/rwsem: Pass the current atomic count to
rwsem_down_read_slowpath() (bsc#1207270 jsc#PED-4567).
- commit 1d2b5fa
- locking/rwsem: Fold __down_{read,write}*() (bsc#1207270
jsc#PED-4567).
- commit fd0b8b5
- locking/rwsem: Introduce rwsem_write_trylock() (bsc#1207270
jsc#PED-4567).
- commit daa9d5f
- locking/rwsem: Better collate rwsem_read_trylock() (bsc#1207270
jsc#PED-4567).
- commit 23252c2
- rwsem: Implement down_read_interruptible (bsc#1207270
jsc#PED-4567).
- commit 07e26fd
- rwsem: Implement down_read_killable_nested (bsc#1207270
jsc#PED-4567).
- commit 42f4ca4
- locking/rwsem: Prepare for a rwsem backport
The rwsem backport will enable the kernel to run on large VMs in Azure
(M416v2, M832v2). The rwsem code is going to be updated with newest
features one of which disables optimistic spinning for readers.
- blacklist.conf: Remove an entry that is part of the backported
patch set.
- Delete
patches.suse/locking-rwsem-Disable-reader-optimistic-spinning.patch.
- commit d354394
- ipv6: rpl: Fix Route of Death (CVE-2023-2156 bsc#1211131).
- commit 5601bfa
- x86/srso: Add IBPB on VMEXIT (bsc#1213287, CVE-2023-20569).
- commit f2c709c
- x86/srso: Add IBPB (bsc#1213287, CVE-2023-20569).
- commit ef6bc71
- x86/srso: Add SRSO_NO support (bsc#1213287, CVE-2023-20569).
- commit a905016
- x86/cpu, kvm: Add support for CPUID_80000021_EAX (bsc#1213287, CVE-2023-20569).
- Refresh patches.suse/x86-cpufeatures-add-kabi-padding.patch.
- commit f39cd8f
- x86/srso: Add IBPB_BRTYPE support (bsc#1213287, CVE-2023-20569).
- commit 5d6a6a0
- x86: Sanitize linker script (bsc#1213287, CVE-2023-20569).
- commit 8ff4f99
- x86/retbleed: Add __x86_return_thunk alignment checks (bsc#1213287, CVE-2023-20569).
- commit e623809
- x86/srso: Add a Speculative RAS Overflow mitigation (bsc#1213287, CVE-2023-20569).
- commit 707be59
- kernel-binary.spec.in: Remove superfluous %% in Supplements
Fixes: 02b7735e0caf ("rpm/kernel-binary.spec.in: Add Enhances and Supplements tags to in-tree KMPs")
- commit 264db74
- net/sched: sch_qfq: account for stab overhead in qfq_enqueue
(CVE-2023-3611 bsc#1213585).
- net/sched: sch_qfq: refactor parsing of netlink parameters
(bsc#1213585).
- blacklist follow-up commit 158810b261d0 ("net/sched: sch_qfq: reintroduce
lmax bound check for MTU") as unlike the original upstream commit, our
backport does not remove the check
- commit 609da2e
- net/sched: cls_u32: Fix reference counter leak leading to
overflow (CVE-2023-3609 bsc#1213586).
- commit b22e9b9
- net/sched: cls_fw: Fix improper refcount update leads to
use-after-free (CVE-2023-3776 bsc#1213588).
- commit b7fc513
- vc_screen: don't clobber return value in vcs_read (bsc#1213167
CVE-2023-3567).
- vc_screen: modify vcs_size() handling in vcs_read() (bsc#1213167
CVE-2023-3567).
- vc_screen: move load of struct vc_data pointer in vcs_read()
to avoid UAF (bsc#1213167 CVE-2023-3567).
- commit da930b7
- block, bfq: Fix division by zero error on zero wsum
(bsc#1213653).
- commit 67879a5
- x86/xen: Fix secondary processors' FPU initialization (bsc#1206418, CVE-2022-40982).
- commit 8a9c409
- x86/fpu: Move FPU initialization into arch_cpu_finalize_init() (bsc#1206418, CVE-2022-40982).
- commit d9e45bd
- x86/fpu: Mark init functions __init (bsc#1206418, CVE-2022-40982).
- commit 613212d
- x86/fpu: Remove cpuinfo argument from init functions (bsc#1206418).
- commit 82c61db
- init, x86: Move mem_encrypt_init() into arch_cpu_finalize_init() (bsc#1206418).
- commit 6fb5f8f
- init: Invoke arch_cpu_finalize_init() earlier (bsc#1206418).
- commit 8ef61c6
- init: Remove check_bugs() leftovers (bsc#1206418).
- commit a639423
- ARM: cpu: Switch to arch_cpu_finalize_init() (bsc#1206418).
- commit cbb96e9
- x86/cpu: Switch to arch_cpu_finalize_init() (bsc#1206418).
- commit 7fa4777
- x86/mm: Initialize text poking earlier (bsc#1206418, CVE-2022-40982).
- Refresh patches.suse/init-provide-arch_cpu_finalize_init.patch.
- commit 9784a5e
- init: Provide arch_cpu_finalize_init() (bsc#1206418).
- commit f81d332
- x86/mm: fix poking_init() for Xen PV guests (bsc#1206418, CVE-2022-40982).
- commit b12d1bf
- x86/mm: Use mm_alloc() in poking_init() (bsc#1206418, CVE-2022-40982).
- commit 9a1d45f
- net: tun: fix bugs for oversize packet when napi frags enabled
(bsc#1213543 CVE-2023-3812).
- commit 5e9be17
- netfilter: nf_tables: do not ignore genmask when looking up
chain by id (CVE-2023-31248 bsc#1213061).
- commit 414921d
- netfilter: nf_tables: prevent OOB access in nft_byteorder_eval
(CVE-2023-35001 bsc#1213059).
- commit b0acbe2
- uaccess: Add speculation barrier to copy_from_user()
(bsc#1211738 CVE-2023-0459).
- commit 93eec59
- netfilter: nf_tables: incorrect error path handling with
NFT_MSG_NEWRULE (CVE-2023-3390 CVE-2023-3117 bsc#1212846
bsc#1213245).
- commit 176a7df
- KVM: Add GDS_NO support to KVM (bsc#1206418, CVE-2022-40982).
- commit 6550823
- x86/speculation: Add Kconfig option for GDS (bsc#1206418, CVE-2022-40982).
- commit eb94624
- x86/speculation: Add force option to GDS mitigation (bsc#1206418, CVE-2022-40982).
- commit 79691d3
- x86/speculation: Add Gather Data Sampling mitigation (bsc#1206418, CVE-2022-40982).
- commit 74a70bc
- ocfs2: fix defrag path triggering jbd2 ASSERT (bsc#1199304).
- ocfs2: fix a deadlock when commit trans (bsc#1199304).
- jbd2: export jbd2_journal_[grab|put]_journal_head (bsc#1199304).
- ocfs2: fix race between searching chunks and release
journal_head from buffer_head (bsc#1199304).
- commit f86bdfe
- Refresh
patches.suse/keys-Fix-linking-a-duplicate-key-to-a-keyring-s-asso.patch.
- commit d8b8cf8
- x86/cpu/amd: Add a Zenbleed fix (bsc#1213286, CVE-2023-20593).
- commit c2a9155
- x86/cpu/amd: Move the errata checking functionality up (bsc#1213286, CVE-2023-20593).
- commit d7a9bc3
- rpm: Update dependency to match current kmod.
- commit d687dc3
- keys: Do not cache key in task struct if key is requested from
kernel thread (bsc#1213354).
- commit 0121b9a
- net: mana: Add support for vlan tagging (bsc#1212301).
- commit 613e87e
- fs: hfsplus: fix UAF issue in hfsplus_put_super (bsc#1211867, CVE-2023-2985).
- commit e01b911
- rpm/check-for-config-changes: ignore also RISCV_ISA_* and DYNAMIC_SIGFRAME
They depend on CONFIG_TOOLCHAIN_HAS_*.
- commit 1007103
- ubi: Fix failure attaching when vid_hdr offset equals to
(sub)page size (bsc#1210584).
- ubi: ensure that VID header offset + VID header size <= alloc,
size (bsc#1210584).
- commit 8f5f025
- Remove more packaging cruft for SLE < 12 SP3
- commit a16781c
- Get module prefix from kmod (bsc#1212835).
- commit f6691b0
- rpm/check-for-config-changes: ignore also PAHOLE_HAS_*
We now also have options like CONFIG_PAHOLE_HAS_LANG_EXCLUDE.
- commit 86b52c1
- usrmerge: Adjust module path in the kernel sources (bsc#1212835).
With the module path adjustment applied as source patch only
ALP/Tumbleweed kernel built on SLE/Leap needs the path changed back to
non-usrmerged.
- commit dd9a820
- ipvlan:Fix out-of-bounds caused by unclear skb->cb (bsc#1212842
CVE-2023-3090).
- commit ddb6922
- x86/build: Avoid relocation information in final vmlinux
(bsc#1187829).
- commit 88b515e
- Refresh
patches.suse/cifs-fix-open-leaks-in-open_cached_dir.patch.
s/sync_hdr/hdr/ - fix build breakage on CONFIG_CIFS_DEBUG2=y.
- commit c3cb631
- kernel-docs: Use python3 together with python3-Sphinx (bsc#1212741).
- commit 95a40a6
- HID: intel_ish-hid: Add check for ishtp_dma_tx_map (git-fixes
bsc#1212606 CVE-2023-3358).
- commit 7077c4f
- usb: gadget: udc: renesas_usb3: Fix use after free bug
in renesas_usb3_remove due to race condition (bsc#1212513
CVE-2023-35828).
- commit 1f06f62
- binfmt_elf: Take the mmap lock when walking the VMA list
(bsc#1209039 CVE-2023-1249).
- commit 3f46ff2
- bluetooth: Perform careful capability checks in hci_sock_ioctl()
(bsc#1210533 CVE-2023-2002).
- commit cb86eb0
- relayfs: fix out-of-bounds access in relay_file_read
(bsc#1212502 CVE-2023-3268).
- kernel/relay.c: fix read_pos error when multiple readers
(bsc#1212502 CVE-2023-3268).
- commit 73e4027
- media: dm1105: Fix use after free bug in dm1105_remove due to
race condition (bsc#1212501 CVE-2023-35824).
- commit 0c9d507
- media: saa7134: fix use after free bug in saa7134_finidev due
to race condition (bsc#1212494 CVE-2023-35823).
- commit 61b38d8
- net/sched: flower: fix possible OOB write in fl_set_geneve_opt()
(CVE-2023-35788 bsc#1212504).
- commit 865936b
- Drop a buggy dvb-core fix patch (bsc#1205758)
Also the kabi workaround is dropped, too
- commit 7ace3fb
- cifs: fix open leaks in open_cached_dir() (bsc#1209342).
- commit 82c30e2
- kernel-docs: Add buildrequires on python3-base when using python3
The python3 binary is provided by python3-base.
- commit c5df526
- fbcon: Check font dimension limits (CVE-2023-3161 bsc#1212154).
- commit 6f6d21f
- Move setting %%build_html to config.sh
- commit 3f65cd5
- memstick: r592: Fix UAF bug in r592_remove due to race condition
(CVE-2023-3141 bsc#1212129 bsc#1211449).
- commit 4d760e7
- firewire: fix potential uaf in outbound_phy_packet_callback()
(CVE-2023-3159 bsc#1212128).
- commit 444321d
- Fix missing top level chapter numbers on SLE12 SP5 (bsc#1212158).
- commit 7ebcbd5
- Move setting %%split_optional to config.sh
- commit 4519250
- Move setting %%supported_modules_check to config.sh
- commit d9c64aa
- rpm/kernel-docs.spec.in: pass PYTHON=python3 to fix build error (bsc#1160435)
- commit 799f050
- rpm/kernel-binary.spec.in: Fix compatibility wth newer rpm
- commit 334fb4d
- Also include kernel-docs build requirements for ALP
- commit 114d088
- Move the kernel-binary conflicts out of the spec file.
Thie list of conflicting packages varies per release.
To reduce merge conflicts move the list out of the spec file.
- commit 4d81125
- sched/rt: pick_next_rt_entity(): check list_entry (bsc#1208600 CVE-2023-1077)
- commit a8f82d0
- Avoid unsuported tar parameter on SLE12
- commit f11765a
- gve: Remove the code of clearing PBA bit (bsc#1211519).
- gve: Secure enough bytes in the first TX desc for all TCP pkts
(bsc#1211519).
- gve: Cache link_speed value from device (bsc#1211519).
- gve: Handle alternate miss completions (bsc#1211519).
- gve: Adding a new AdminQ command to verify driver (bsc#1211519).
- gve: Fix error return code in gve_prefill_rx_pages()
(bsc#1211519).
- gve: Reduce alloc and copy costs in the GQ rx path
(bsc#1211519).
- gve: Fix GFP flags when allocing pages (bsc#1211519).
- google/gve:fix repeated words in comments (bsc#1211519).
- gve: Fix spelling mistake "droping" -> "dropping" (bsc#1211519).
- gve: enhance no queue page list detection (bsc#1211519).
- commit 5088617
- Move obsolete KMP list into a separate file.
The list of obsoleted KMPs varies per release, move it out of the spec
file.
- commit 016bc55
- Trim obsolete KMP list.
SLE11 is out of support, we do not need to handle upgrading from SLE11
SP1.
- commit 08819bb
- Generalize kernel-doc build requirements.
- commit 23b058f
- kernel-binary: Add back kernel-default-base guarded by option
Add configsh option for splitting off kernel-default-base, and for
not signing the kernel on non-efi
- commit 28c22af
- net: rpl: fix rpl header size calculation (CVE-2023-2156
bsc#1211131).
- commit 884cd15
- Drivers: hv: vmbus: Optimize vmbus_on_event (bsc#1211622).
- commit 6cf7013
- usrmerge: Compatibility with earlier rpm (boo#1211796)
- commit 2191d32
- Fix usrmerge error (boo#1211796)
- commit da84579
- Update References
patches.suse/x86-speculation-restore-speculation-related-msrs-during-s3-resume.patch
(bsc#1198400 bsc#1209779 CVE-2023-1637).
- commit 23e11e7
- tcp: Fix data races around icsk->icsk_af_ops (bsc#1204405
CVE-2022-3566).
- commit d1f836b
- Remove usrmerge compatibility symlink in buildroot (boo#1211796)
Besides Makefile depmod.sh needs to be patched to prefix /lib/modules.
Requires corresponding patch to kmod.
- commit b8e00c5
- Update
patches.suse/netfilter-x_tables-use-correct-memory-barriers.patch
(bsc#1184208 CVE-2021-29650 bsc#1211596 CVE-2020-36694).
- commit 0092ed2
- HID: asus: use spinlock to safely schedule workers (bsc#1208604
CVE-2023-1079).
- commit df4ce9a
- HID: asus: use spinlock to protect concurrent accesses
(bsc#1208604 CVE-2023-1079).
- commit 4b7a2e4
- ipv6: sr: fix out-of-bounds read when setting HMAC data
(bsc#1211592).
- commit f37c1a1
- power: supply: bq24190: Fix use after free bug in bq24190_remove
due to race condition (CVE-2023-33288 bsc#1211590).
- commit 3e2047c
- kernel-source: Remove unused macro variant_symbols
- commit 915ac72
- media: dvb_net: kABI workaround (CVE-2022-45886 bsc#1205760).
- media: dvb_frontend: kABI workaround (CVE-2022-45885
bsc#1205758).
- commit c99685c
- media: ttusb-dec: fix memory leak in ttusb_dec_exit_dvb()
(CVE-2022-45887 bsc#1205762).
- media: dvb-core: Fix use-after-free due to race condition at
dvb_ca_en50221 (CVE-2022-45919 bsc#1205803).
- media: dvb-core: Fix use-after-free due to race at
dvb_register_device() (CVE-2022-45884 bsc#1205756).
- media: dvb-core: Fix use-after-free due on race condition at
dvb_net (CVE-2022-45886 bsc#1205760).
- media: dvb-core: Fix kernel WARNING for blocking operation in
wait_event*() (CVE-2023-31084 bsc#1210783).
- media: dvb-core: Fix use-after-free on race condition at
dvb_frontend (CVE-2022-45885 bsc#1205758).
- commit f5d1bea
- media: dvbdev: fix error logic at dvb_register_device()
(CVE-2022-45884 bsc#1205756).
- media: dvbdev: Fix memleak in dvb_register_device
(CVE-2022-45884 bsc#1205756).
- media: media/dvb: Use kmemdup rather than duplicating its
implementation (CVE-2022-45884 bsc#1205756).
- commit fa580d0
- net: sched: sch_qfq: prevent slab-out-of-bounds in
qfq_activate_agg (bsc#1210940 CVE-2023-31436).
- commit eeb865d
- i2c: xgene-slimpro: Fix out-of-bounds bug in
xgene_slimpro_i2c_xfer() (bsc#1210715 CVE-2023-2194).
- commit e9b03ca
- netrom: Fix use-after-free caused by accept on already
connected socket (bsc#1211186 CVE-2023-32269).
- commit e76516d
- SUNRPC: Ensure the transport backchannel association
(bsc#1211203).
- commit db18275
- rpm/constraints.in: Increase disk size constraint for riscv64 to 52GB
- commit 1c1a4cd
- netfilter: nf_tables: deactivate anonymous set from preparation
phase (CVE-2023-32233 bsc#1211043).
- commit 8d253dc
- act_mirred: use the backlog for nested calls to mirred ingress
(CVE-2022-4269 bsc#1206024).
- net/sched: act_mirred: better wording on protection against
excessive stack growth (CVE-2022-4269 bsc#1206024).
- net/sched: act_mirred: refactor the handle of xmit
(CVE-2022-4269 bsc#1206024).
- commit c36d39a
- wifi: brcmfmac: slab-out-of-bounds read in
brcmf_get_assoc_ies() (bsc#1209287 CVE-2023-1380).
- commit 238a208
- Remove obsolete rpm spec constructs
defattr does not need to be specified anymore
buildroot does not need to be specified anymore
- commit c963185
- kernel-spec-macros: Fix up obsolete_rebuilds_subpackage to generate
obsoletes correctly (boo#1172073 bsc#1191731).
rpm only supports full length release, no provides
- commit c9b5bc4
- ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h
(bsc#1206878 bsc#1211105 CVE-2023-2513).
- commit 2a8658b
- ext4: fix use-after-free in ext4_xattr_set_entry (bsc#1206878
bsc#1211105 CVE-2023-2513).
- commit 880db90
- kernel-binary: install expoline.o (boo#1210791 bsc#1211089)
- commit d6c8c20
- net: qcom/emac: Fix use after free bug in emac_remove due to
race condition (bsc#1211037 CVE-2023-2483).
- commit d3abec2
- Update patches.suse/io_uring-prevent-race-on-registering-fixed-files.patch
Fix the missing the bsc# prefix for the bug number in the References tag.
- commit 704a6c4
- timens: Forbid changing time namespace for an io_uring process
(bsc#1208474 CVE-2023-23586).
- commit 89cf4b3
- s390,dcssblk,dax: Add dax zero_page_range operation to dcssblk
driver (bsc#1199636).
- commit 6a9faa3
- krb5
-
- Ensure array count consistency in kadm5 RPC; (bsc#1214054);
(CVE-2023-36054);
- Added patches:
* 0011-Ensure-array-count-consistency-in-kadm5-RPC.patch
- libX11
-
- U_InitExt.c-Add-bounds-checks-for-extension-request-ev.patch
* Buffer overflows in InitExt.c (boo#1212102, CVE-2023-3138)
- gcc12
-
- Add gcc12-aarch64-bsc1214052.patch to fix -fstack-protector issues
with variable length stack allocations on aarch64.
Fixes CVE-2023-4039. [bsc#1214052]
- Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204
* includes regression bug fixes
- Add gcc12-testsuite-fixes.patch to pick testsuite related fixes
from the branch after the release.
- Speed up builds with --enable-link-serialization.
- Update to gcc-12 branch head, 193f7e62815b4089dfaed4c2bd3, git749
- Don't rely on %usrmerged, set it based on standard %suse_version
- Update to gcc-12 branch head, e4b5fec75aa8d0d01f6e042ec28, git696
* remove gcc12-fifo-jobserver-support.patch which is now
included upstream
- avoid trailing backslashes at the end of post install scripts
- Update to gcc-12 branch head, 0aaef83351473e8f4eb774f8f99, git537
- Update embedded newlib to version 4.2.0
* includes newlib-4.1.0-aligned_alloc.patch
- add gcc12-riscv-inline-atomics.patch,
gcc12-riscv-pthread.patch: handle subword size inline atomics
(needed by several openSUSE packages)
- libcap
-
- Fixed integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup()
(bsc#1211419 / CVE-2023-2603) CVE-2023-2603.patch
- cryptsetup
-
- luksFormat: Handle system with low memory and no swap space [bsc#1211079]
* Check for physical memory available also in PBKDF benchmark.
* Try to avoid OOM killer on low-memory systems without swap.
* Use only half of detected free memory on systems without swap.
* Add patches:
- cryptsetup-Check-for-physical-memory-available-also-in-PBKDF-be.patch
- cryptsetup-Try-to-avoid-OOM-killer-on-low-memory-systems-withou.patch
- cryptsetup-Use-only-half-of-detected-free-memory-on-systems-wit.patch
- libdb-4_8
-
- Fix incomplete license tag. [bsc#1099695]
- libeconf
-
- Additional info for version 0.5.2:
* Fixed a stack-buffer-overflow vulnerability in "econf_writeFile"
function. (CVE-2023-30078, CVE-2023-32181, bsc#1211078)
* Fixed a stack-buffer-overflow vulnerability in "read_file"
function. (CVE-2023-30079, CVE-2023-22652, bsc#1211078)
- Update to version 0.5.2:
* Fixed build for aarch64 and gcc13.
* Making the output verbose when a test fails.
* Fixed a stack-buffer-overflow vulnerability in "econf_writeFile"
function.
* Fixed a stack-buffer-overflow vulnerability in "read_file"
function.
* Added new feature: econf_set_conf_dirs (const char **dir_postfix_list)
Sets a list of directory structures (with order) which describes
the directories in which the files have to be parsed.
E.G. with the given list: {"/conf.d/", ".d/", "/", NULL} files in following
directories will be parsed:
"<default_dirs>/<project_name>.<suffix>.d/"
"<default_dirs>/<project_name>/conf.d/"
"<default_dirs>/<project_name>.d/"
"<default_dirs>/<project_name>/"
The entry "<default_dirs>/<project_name>.<suffix>.d/" will be added
automatically.
* General code cleanup.
- Update to version 0.5.1:
* Reading files in /usr/_vendor_/_example_._suffix_.d/* regardless
there is a /etc/_example_._suffix_ file. (#175)
- Update to version 0.5.0:
* API calls econf_read*WithCallback supporting a general (void *)
argument for user defined data with which the callback function is
called.
* Tagged following functions deprecated:
econf_requireOwner, econf_requireGroup, econf_requirePermissions,
econf_followSymlinks, econf_reset_security_settings
Use one of the econf_read*WithCallback functions instead.
- Update to version 0.4.9:
* libeconf.h: added missing sys/types.h header (#171)
* new API calls: econf_readFileWithCallback,
econf_readDirsWithCallback, econf_readDirsHistoryWithCallback (#172)
* Checking NULL comment parameter in the parsing functions.
- Update to version 0.4.8+git20221114.7ff7704:
* Parsing files which are containing keys only (#170)
All delimiters are allowed now : "", " =", " ", "=". But the
user should use "" in order to be distinct.
* /usr/etc/shells.d/<file_name> will not be parsed if
/etc/shells.d/<file_name> is defined too.
* Lto build fixed (#168)
* New calls: econf_comment_tag, econf_delimiter_tag, econf_set_comment_tag,
econf_set_delimiter_tag
* Checking UID,GroupID, permissions,... of the parsed files (#165)
New calls: econf_requireOwner, econf_requireGroup, econf_requirePermissions,
econf_followSymlinks
* Ignoring Group without brackets; Do not hold brackets in the internal data structure. (#164)
* Error handling improved for nums and booleans (#163)
- Update to version 0.4.6+git20220427.3016f4e:
* econftool:
* * Parsing error: Reporting file and line nr.
* * --delimeters=spaces Taking all kind of spaces for delimiter
* libeconf:
Fixed bsc#1198165: Parsing files correctly which have space characters
AND none space characters as delimiters.
- Update to version 0.4.5+git20220406.c9658f2:
* econftool:
* * New call "syntax" for checking the configuration files only.
Returns an error string with line number if an error occurs.
* * New options "--comment" and "--delimeters"
* * Parsing one file only if needed.
- mozilla-nss
-
- update to NSS 3.90
* bmo#1623338 - ride along: remove a duplicated doc page
* bmo#1623338 - remove a reference to IRC
* bmo#1831983 - clang-format lib/freebl/stubs.c
* bmo#1831983 - Add a constant time select function
* bmo#1774657 - Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access.
* bmo#1830973 - output early build errors by default
* bmo#1804505 - Update the technical constraints for KamuSM
* bmo#1822921 - Add BJCA Global Root CA1 and CA2 root certificates
* bmo#1790763 - Enable default UBSan Checks
* bmo#1786018 - Add explicit handling of zero length records
* bmo#1829391 - Tidy up DTLS ACK Error Handling Path
* bmo#1786018 - Refactor zero length record tests
* bmo#1829112 - Fix compiler warning via correct assert
* bmo#1755267 - run linux tests on nss-t/t-linux-xlarge-gcp
* bmo#1806496 - In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator
* bmo#1784163 - Fix reading raw negative numbers
* bmo#1748237 - Repairing unreachable code in clang built with gyp
* bmo#1783647 - Integrate Vale Curve25519
* bmo#1799468 - Removing unused flags for Hacl*
* bmo#1748237 - Adding a better error message
* bmo#1727555 - Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6
* bmo#1782980 - Fall back to the softokn when writing certificate trust
* bmo#1806010 - FIPS-104-3 requires we restart post programmatically
* bmo#1826650 - cmd/ecperf: fix dangling pointer warning on gcc 13
* bmo#1818766 - Update ACVP dockerfile for compatibility with debian package changes
* bmo#1815796 - Add a CI task for tracking ECCKiila code status, update whitespace in ECCKiila files
* bmo#1819958 - Removed deprecated sprintf function and replaced with snprintf
* bmo#1822076 - fix rst warnings in nss doc
* bmo#1821997 - Fix incorrect pygment style
* bmo#1821292 - Change GYP directive to apply across platforms
* Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag
- Add nss-fix-bmo1836925.patch to fix build-errors
- Merge the libfreebl3-hmac and libsoftokn3-hmac packages
into the respective libraries. (bsc#1185116)
- update to NSS 3.89.1
* bmo#1804505 - Update the technical constraints for KamuSM.
* bmo#1822921 - Add BJCA Global Root CA1 and CA2 root certificates.
- update to NSS 3.89
* bmo#1820834 - revert freebl/softoken RSA_MIN_MODULUS_BITS increase
* bmo#1820175 - PR_STATIC_ASSERT is cursed
* bmo#1767883 - Need to add policy control to keys lengths for signatures
* bmo#1820175 - Fix unreachable code warning in fuzz builds
* bmo#1820175 - Fix various compiler warnings in NSS
* bmo#1820175 - Enable various compiler warnings for clang builds
* bmo#1815136 - set PORT error after sftk_HMACCmp failure
* bmo#1767883 - Need to add policy control to keys lengths for signatures
* bmo#1804662 - remove data length assertion in sec_PKCS7Decrypt
* bmo#1804660 - Make high tag number assertion failure an error
* bmo#1817513 - CKM_SHA384_KEY_DERIVATION correction maximum key
length from 284 to 384
* bmo#1815167 - Tolerate certificate_authorities xtn in ClientHello
* bmo#1789436 - Fix build failure on Windows
* bmo#1811337 - migrate Win 2012 tasks to Azure
* bmo#1810702 - fix title length in doc
* bmo#1570615 - Add interop tests for HRR and PSK to GREASE suite
* bmo#1570615 - Add presence/absence tests for TLS GREASE
* bmo#1804688 - Correct addition of GREASE value to ALPN xtn
* bmo#1789436 - CH extension permutation
* bmo#1570615 - TLS GREASE (RFC8701)
* bmo#1804640 - improve handling of unknown PKCS#12 safe bag types
* bmo#1815870 - use a different treeherder symbol for each docker
image build task
* bmo#1815868 - pin an older version of the ubuntu:18.04 and
20.04 docker images
* bmo#1810702 - remove nested table in rst doc
* bmo#1815246 - Export NSS_CMSSignerInfo_GetDigestAlgTag
* bmo#1812671 - build failure while implicitly casting SECStatus
to PRUInt32
- update to NSS 3.88.1
* bmo#1804640 - improve handling of unknown PKCS#12 safe bag types
- update to NSS 3.88
* bmo#1815870 - use a different treeherder symbol for each docker
image build task
* bmo#1815868 - pin an older version of the ubuntu:18.04 and
20.04 docker images
* bmo#1810702 - remove nested table in rst doc
* bmo#1815246 - Export NSS_CMSSignerInfo_GetDigestAlgTag.
* bmo#1812671 - build failure while implicitly casting SECStatus
to PRUInt32
* bmo#1212915 - Add check for ClientHello SID max length
* bmo#1771100 - Added EarlyData ALPN test support to BoGo shim
* bmo#1790357 - ECH client - Discard resumption TLS < 1.3
Session(IDs|Tickets) if ECH configs are setup
* bmo#1714245 - On HRR skip PSK incompatible with negotiated
ciphersuites hash algorithm
* bmo#1789410 - ECH client: Send ech_required alert on server
negotiating TLS 1.2. Fixed misleading Gtest,
enabled corresponding BoGo test
* bmo#1771100 - Added Bogo ECH rejection test support
* bmo#1771100 - Added ECH 0Rtt support to BoGo shim
* bmo#1747957 - RSA OAEP Wycheproof JSON
* bmo#1747957 - RSA decrypt Wycheproof JSON
* bmo#1747957 - ECDSA Wycheproof JSON
* bmo#1747957 - ECDH Wycheproof JSON
* bmo#1747957 - PKCS#1v1.5 wycheproof json
* bmo#1747957 - Use X25519 wycheproof json
* bmo#1766767 - Move scripts to python3
* bmo#1809627 - Properly link FuzzingEngine for oss-fuzz.
* bmo#1805907 - Extending RSA-PSS bltest test coverage
(Adding SHA-256 and SHA-384)
* bmo#1804091 - NSS needs to move off of DSA for integrity checks
* bmo#1805815 - Add initial testing with ACVP vector sets using
acvp-rust
* bmo#1806369 - Don't clone libFuzzer, rely on clang instead
- update to NSS 3.87
* bmo#1803226 - NULL password encoding incorrect
* bmo#1804071 - Fix rng stub signature for fuzzing builds
* bmo#1803595 - Updating the compiler parsing for build
* bmo#1749030 - Modification of supported compilers
* bmo#1774654 - tstclnt crashes when accessing gnutls server
without a user cert in the database.
* bmo#1751707 - Add configuration option to enable source-based
coverage sanitizer
* bmo#1751705 - Update ECCKiila generated files.
* bmo#1730353 - Add support for the LoongArch 64-bit architecture
* bmo#1798823 - add checks for zero-length RSA modulus to avoid
memory errors and failed assertions later
* bmo#1798823 - Additional zero-length RSA modulus checks
- Remove nss-fix-bmo1774654.patch which is now upstream
- update to NSS 3.86
* bmo#1803190 - conscious language removal in NSS
* bmo#1794506 - Set nssckbi version number to 2.60
* bmo#1803453 - Set CKA_NSS_SERVER_DISTRUST_AFTER and
CKA_NSS_EMAIL_DISTRUST_AFTER for 3
TrustCor Root Certificates
* bmo#1799038 - Remove Staat der Nederlanden EV Root CA from NSS
* bmo#1797559 - Remove EC-ACC root cert from NSS
* bmo#1794507 - Remove SwissSign Platinum CA - G2 from NSS
* bmo#1794495 - Remove Network Solutions Certificate Authority
* bmo#1802331 - compress docker image artifact with zstd
* bmo#1799315 - Migrate nss from AWS to GCP
* bmo#1800989 - Enable static builds in the CI
* bmo#1765759 - Removing SAW docker from the NSS build system
* bmo#1783231 - Initialising variables in the rsa blinding code
* bmo#320582 - Implementation of the double-signing of the message
for ECDSA
* bmo#1783231 - Adding exponent blinding for RSA.
- update to NSS 3.85
* bmo#1792821 - Modification of the primes.c and dhe-params.c in
order to have better looking tables
* bmo#1796815 - Update zlib in NSS to 1.2.13
* bmo#1796504 - Skip building modutil and shlibsign when building
in Firefox
* bmo#1796504 - Use __STDC_VERSION__ rather than __STDC__ as a guard
* bmo#1796407 - Fix -Wunused-but-set-variable warning from clang 15
* bmo#1796308 - Fix -Wtautological-constant-out-of-range-compare
and -Wtype-limits warnings
* bmo#1796281 - Followup: add missing stdint.h include
* bmo#1796281 - Fix -Wint-to-void-pointer-cast warnings
* bmo#1796280 - Fix -Wunused-{function,variable,but-set-variable}
warnings on Windows
* bmo#1796079 - Fix -Wstring-conversion warnings
* bmo#1796075 - Fix -Wempty-body warnings
* bmo#1795242 - Fix unused-but-set-parameter warning
* bmo#1795241 - Fix unreachable-code warnings
* bmo#1795222 - Mark _nss_version_c unused on clang-cl
* bmo#1795668 - Remove redundant variable definitions in lowhashtest
* Add note about python executable to build instructions.
- update to NSS 3.84
* bmo#1791699 - Bump minimum NSPR version to 4.35
* bmo#1792103 - Add a flag to disable building libnssckbi.
- update to NSS 3.83
* bmo#1788875 - Remove set-but-unused variables from
SEC_PKCS12DecoderValidateBags
* bmo#1563221 - remove older oses that are unused part3/ BeOS
* bmo#1563221 - remove older unix support in NSS part 3 Irix
* bmo#1563221 - remove support for older unix in NSS part 2 DGUX
* bmo#1563221 - remove support for older unix in NSS part 1 OSF
* bmo#1778413 - Set nssckbi version number to 2.58
* bmp#1785297 - Add two SECOM root certificates to NSS
* bmo#1787075 - Add two DigitalSign root certificates to NSS
* bmo#1778412 - Remove Camerfirma Global Chambersign Root from NSS
* bmo#1771100 - Added bug reference and description to disabled
UnsolicitedServerNameAck bogo ECH test
* bmo#1779361 - Removed skipping of ECH on equality of private and
public server name
* bmo#1779357 - Added comment and bug reference to
ECHRandomHRRExtension bogo test
* bmo#1779370 - Added Bogo shim client HRR test support. Fixed
overwriting of CHInner.random on HRR
* bmo#1779234 - Added check for server only sending ECH extension
with retry configs in EncryptedExtensions and if not
accepting ECH. Changed config setting behavior to
skip configs with unsupported mandatory extensions
instead of failing
* bmo# 1771100 - Added ECH client support to BoGo shim. Changed
CHInner creation to skip TLS 1.2 only extensions to
comply with BoGo
* bmo#1771100 - Added ECH server support to BoGo shim. Fixed NSS ECH
server accept_confirmation bugs
* bmo#1771100 - Update BoGo tests to recent BoringSSL version
* bmo#1785846 - Bump minimum NSPR version to 4.34.1
- update to NSS 3.82
* bmo#1330271 - check for null template in sec_asn1{d,e}_push_state
* bmo#1735925 - QuickDER: Forbid NULL tags with non-zero length
* bmo#1784724 - Initialize local variables in
TlsConnectTestBase::ConnectAndCheckCipherSuite
* bmo#1784191 - Cast the result of GetProcAddress
* bmo#1681099 - pk11wrap: Tighten certificate lookup based on
PKCS #11 URI.
- update to NSS 3.81
* bmo#1762831 - Enable aarch64 hardware crypto support on OpenBSD
* bmo#1775359 - make NSS_SecureMemcmp 0/1 valued
* bmo#1779285 - Add no_application_protocol alert handler and
test client error code is set
* bmo#1777672 - Gracefully handle null nickname in
CERT_GetCertNicknameWithValidity
* required for Firefox 104
- raised NSPR requirement to 4.34.1
- changing some Requires from (pre) to generic as (pre) is not
sufficient (boo#1202118)
- update to NSS 3.80
* bmo#1774720 - Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h.
* bmo#1617956 - Add support for asynchronous client auth hooks.
* bmo#1497537 - nss-policy-check: make unknown keyword check optional.
* bmo#1765383 - GatherBuffer: Reduced plaintext buffer allocations
by allocating it on initialization. Replaced
redundant code with assert. Debug builds: Added
buffer freeing/allocation for each record.
* bmo#1773022 - Mark 3.79 as an ESR release.
* bmo#1764206 - Bump nssckbi version number for June.
* bmo#1759815 - Remove Hellenic Academic 2011 Root.
* bmo#1770267 - Add E-Tugra Roots.
* bmo#1768970 - Add Certainly Roots.
* bmo#1764392 - Add DigitCert Roots.
* bmo#1759794 - Protect SFTKSlot needLogin with slotLock.
* bmo#1366464 - Compare signature and signatureAlgorithm fields in
legacy certificate verifier.
* bmo#1771497 - Uninitialized value in cert_VerifyCertChainOld.
* bmo#1771495 - Unchecked return code in sec_DecodeSigAlg.
* bmo#1771498 - Uninitialized value in cert_ComputeCertType.
* bmo#1760998 - Avoid data race on primary password change.
* bmo#1769063 - Replace ppc64 dcbzl intrinisic.
* bmo#1771036 - Allow LDFLAGS override in makefile builds.
- freetype2
-
- Added patch:
* CVE-2023-2004.patch
+ fixes bsc#1210419, CVE-2023-2004: Integer overflow
- libjansson
-
- Update to 2.14 (boo#1201817):
* New Features:
+ Add `json_object_getn`, `json_object_setn`, `json_object_deln`, and the
corresponding `nocheck` functions.
+ Add jansson_version_str() and jansson_version_cmp() for runtime
version checking
+ Add json_object_update_new(), json_object_update_existing_new()
and json_object_update_missing_new() functions
+ Add json_object_update_recursive()
+ Add `json_pack()` format specifiers s*, o* and O* for values
that can be omitted if null (#339).
+ Add `json_error_code()` to retrieve numeric error codes
(#365, #380, #381).
+ Enable thread safety for `json_dump()` on all systems.
Enable thread safe `json_decref()` and `json_incref()` for
modern compilers (#389).
+ Add `json_sprintf()` and `json_vsprintf()` (#393).
* Fixes:
+ Handle `sprintf` corner cases.
+ Add infinite loop check in json_deep_copy()
+ Enhance JANSSON_ATTRS macro to support earlier C standard(C89)
+ Update version detection for sphinx-build
+ Fix error message in `json_pack()` for NULL object (#409).
+ Avoid invalid memory read in `json_pack()` (#421).
+ Call va_end after va_copy in `json_vsprintf()` (#427).
+ Improve handling of formats with '?' and '*' in `json_pack()`
(#438).
+ Remove inappropriate `jsonp_free()` which caused
segmentation fault in error handling (#444).
+ Fix incorrect report of success from `json_dump_file()` when
an error is returned by `fclose()` (#359).
+ Make json_equal() const-correct (#344).
+ Fix incomplete stealing of references by `json_pack()` (#374)
- Use GitHub as source URLs: Release hasn't been uploaded to digip.org.
- Add check section.
- openldap2
-
- bsc#1212260 - crash in libldap when non-ldap data responds
* 0245-ITS-9803-Drop-connection-when-receiving-non-LDAP-dat.patch
- liblognorm
-
- Upgrade to liblognorm v2.0.6 (jsc#PED-4883)
* 2018-11-02: nitfixes: issues deteced by CodeFactor.com
* 2018-11-01: more cleanup of shell scripting
* 2018-10-31: cleanup shell scripting
* 2018-10-26: implement Checkpoint LEA transfer format
* 2018-10-31: fix mising shebangs in test scripts
* 2018-10-30: fix some bash style nits
* 2018-07-15: fix very theoretic misadressing (gcc-8 warning)
* 2018-06-26: string parser: add "lazy" matching mode
* 2018-05-30: Update lognormalizer.c
* 2018-05-30: Update lognormalizer.c to support case fallthrough
* 2018-05-30: Update README
* 2018-05-10: Fix for #229 (cisco-interface-spec at end of line)
* 2018-03-21: Suppress invalid param error for name to fix #270
- Upgrade to liblognorm v2.0.5
* 2018-04-25: fix potential NULL pointer addressing
* 2018-04-07: Add test for nested user types
* 2018-04-07: Fix use after free with nested user types (#235)
* 2018-04-25: build system: fix gcc warning
* 2018-04-25: make "make check" "succeed" on solaris 10
* 2018-04-16: fix build warnings with some newer compilers
* 2018-04-16: remove dead code
* 2018-04-16: fix potential memory leaks during config processing
* 2018-04-16: fix memory leak during config processing
* 2018-04-16: csv encoder: fix format error when processing arrays
* 2018-03-29: Explicitly list supported whitespace characters
* 2018-03-28: "fix" return type of unused dummy function
- replaces liblognorm-2.0.4-no-return-in-nonvoid-function.patch
* 2018-03-21: Suppress invalid param error for name to fix #270
* 2018-03-19: fix header guard
* 2018-03-06: Correct CLI options in the docs
* 2018-01-13: AIX port : added compatibility and modified lognormalizer for AIX.
* 2017-11-29: codestyle: correct line length to 120
* 2017-11-29: codestyle: set max line length to 120
* 2017-11-25: fix some very bad line length violations
* 2017-11-25: travis: temporarily permit longer line length
* 2017-10-19: make build with gcc7
* 2017-10-05: es_str2cstr leak in string-to v1 parse
- openssl-1_1
-
- Security fix: (bsc#1213853, CVE-2023-3817)
* Fix excessive time spent checking DH q parameter value
(bsc#1213853, CVE-2023-3817). The function DH_check() performs
various checks on DH parameters. After fixing CVE-2023-3446 it
was discovered that a large q parameter value can also trigger
an overly long computation during some of these checks. A
correct q value, if present, cannot be larger than the modulus
p parameter, thus it is unnecessary to perform these checks if
q is larger than p. If DH_check() is called with such q parameter
value, DH_CHECK_INVALID_Q_VALUE return flag is set and the
computationally intensive checks are skipped.
* Add openssl-1_1-CVE-2023-3817.patch
- Dont pass zero length input to EVP_Cipher because assembler
optimized AES cannot handle zero size. [bsc#1213517]
* Add openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch
- Security fix: [bsc#1213487, CVE-2023-3446]
* Fix DH_check() excessive time with over sized modulus.
* The function DH_check() performs various checks on DH parameters.
One of those checks confirms that the modulus ("p" parameter) is
not too large. Trying to use a very large modulus is slow and
OpenSSL will not normally use a modulus which is over 10,000 bits
in length.
However the DH_check() function checks numerous aspects of the
key or parameters that have been supplied. Some of those checks
use the supplied modulus value even if it has already been found
to be too large.
A new limit has been added to DH_check of 32,768 bits. Supplying
a key/parameters with a modulus over this size will simply cause
DH_check() to fail.
* Add openssl-CVE-2023-3446.patch openssl-CVE-2023-3446-test.patch
- Security Fix: [bsc#1207534, CVE-2022-4304]
* Reworked the Fix for the Timing Oracle in RSA Decryption
The previous fix for this timing side channel turned out to cause
a severe 2-3x performance regression in the typical use case
compared to 1.1.1s.
* Add openssl-CVE-2022-4304.patch
* Removed patches:
- openssl-CVE-2022-4304-1of2.patch
- openssl-CVE-2022-4304-2of2.patch
* Refreshed openssl-CVE-2023-0286.patch
- Update further expiring certificates that affect tests [bsc#1201627]
* Add openssl-Update-further-expiring-certificates.patch
- parted
-
- fix null pointer dereference (bsc#1193412)
- add: parted-fix-check-diskp-in-do_name.patch
- update mkpart options in manpage (bsc#1182142)
- add: parted-mkpart-manpage.patch
- pcre2
-
- Security fix: [bsc#1213514, CVE-2022-41409]
* Integer overflow vulnerability in pcre2test before 10.41
allows attackers to cause a denial of service or other
unspecified impacts via negative input.
* Add pcre2-CVE-2022-41409.patch
- procps
-
- Add patch CVE-2023-4016.patch
* CVE-2023-4016: ps buffer overflow (bsc#1214290)
- libxml2
-
- Security update:
* [CVE-2023-39615, bsc#1214768] Crafted xml can cause global
buffer overflow
- Added file libxml2-CVE-2023-39615.patch
- libyajl
-
- add libyajl-CVE-2023-33460.patch (CVE-2023-33460, bsc#1212928)
- libzypp
-
- Fixup changes for 17.31.16. Remove faulty reference to a bug
actually fixed in 2019.
- version 17.31.20 (22)
- Fix zypp-tui/output/Out.h to build with clang.
- Fix zypp/Arch.h for clang (fixes #478)
Clang seems to have issues with picking the overload in
std::men_fn if there is a static overload of a member function.
We need to explicitely specify the correct type of the function
pointer. To make sure this would not break compiling a
application with clang that builds against libzypp this patch
works around the problem.
- version 17.31.19 (22)
- SINGLE_RPMTRANS: Respect ZYPP_READONLY_HACK when checking the
zypp-rpm lock (fixes openSUSE/openSUSE-repos#29)
- version 17.31.18 (22)
- Fix wrong filesize exceeded dl abort in zyppng::Downloader
(bsc#1213673)
In some cases when downloading very small files we can run into
issues when the URL is protected by credentials.
- version 17.31.17 (22)
- Fix negative ZYPP_LOCK_TIMEOUT not waiting forever (bsc#1213231)
- Don't cleanup orphaned dirs if read-only mode was promised
(bsc#1210740)
- version 17.31.16 (22)
- Fix build against protobuf >= 22 (fixes #465, closes #466)
Port away from protobuf_generate_cpp. Upstream protobuf does not
export protobuf_generate_cpp by default anymore.
Use protobuf_generate instead, which is also available on older
versions.
- Remove SUSE < SLE11 constructs (fixes #464).
- version 17.31.15 (22)
- build: honor libproxy.pc's includedir (bsc#1212222)
- Curl: trim all custom headers (bsc#1212187)
HTTP/2 RFC 9113 forbids fields ending with a space. So we make
sure all custom headers are trimmed. This also includes headers
returned by URL-Resolver plugins.
- version 17.31.14 (22)
- shadow
-
- bsc#1213189: Change lock mechanism to file locking to prevent
lock files after power interruptions
- Add shadow-4.8.1-lock-mechanism.patch
- bsc#1206627: Add --prefix support to passwd, chpasswd and chage
Needed for YaST
- Add shadow-4.8.1-add-prefix-passwd-chpasswd-chage.patch
- man
-
- Use inverted exit status in exec option of find command to
avoid refreshing man database (boo#1155879)
- Minor corrections on %ghost /var/cache/man
- mozilla-nspr
-
- update to version 4.35
* fixes for building with clang
* use the number of online processors for the
PR_GetNumberOfProcessors() API on some platforms
* fix build on mips+musl libc
* Add support for the LoongArch 64-bit architecture
- nfs-utils
-
- Add 0032-exportfs-Ingnore-export-failures-in-nfs-server.seriv.patch
Inconsistencies in /etc/exports shouldn't be fatal.
(bsc#1212594)
- Add 0030-systemd-use-correct-modprobe-d-directory
SLE15-SP5 an earlier don't use /usr/lib/modprobe.d
(bsc#1200710)
- Add 0031-mountd-don-t-advertise-krb5-for-v4root-when-not-conf.patch
Avoid unhelpful warning if rpcsec_gss_krb5.ko not installed
- Add 0028-mount.nfs-always-include-mountpoint-or-spec-if-error.patch
boo#1157881
- Add 0029-nfsd.man-fix-typo-in-section-on-scope.patch
bsc#1209859
- Allow scope to be set in sysconfig: NFSD_SCOPE
- openssh
-
- Add openssh-CVE-2023-38408-PKCS11-execution.patch, Abort if
requested to load a PKCS#11 provider that isnt a PKCS#11
provider (bsc#1213504,CVE-2023-38408)
- openssh-7.7p1-fips_checks.patch: close the right filedescriptor
to avoid fd leads, and also close fdh in read_hmac (bsc#1209536)
- perl-Bootloader
-
- merge gh#openSUSE/perl-bootloader#152
- use signed grub EFI binary when updating grub in default EFI
location (bsc#1210799)
- check whether grub2-install supports --suse-force-signed option
- 0.944
- merge gh#openSUSE/perl-bootloader#147
- UEFI: update also default location, if it is controlled by SUSE
(bsc#1210799, bsc#1201399)
- 0.943
- merge gh#openSUSE/perl-bootloader#142
- use fw_platform_size to distinguish between 32 bit and 64 bit
UEFI platforms (bsc#1208003)
- 0.942
- merge gh#openSUSE/perl-bootloader#141
- systemd-boot: easier initial setup
- 0.941
- merge gh#openSUSE/perl-bootloader#140
- add basic support for systemd-boot
- 0.940
- perl
-
- enable TLS cert verification in CPAN [bnc#1210999] [CVE-2023-31484]
new patch: perl-cpan_verify_cert.diff
- python-configobj
-
- Add CVE-2023-26112.patch (bsc#1210070)
- python3-ec2metadata
-
- Update to version 5.0.0 (bsc#1214215)
+ Remove the --use-token command line option. Aws is deprecating access
to instance metadata without authentication token. Ability to access
metadat without token has been removed
+ Support access to the metadata server over IPv6. If the customer
enables the IPv6 endpoint for an instance it will be preferred over the
IPv4 endpoint
- python-libxml2-python
-
- Security update:
* [CVE-2023-39615, bsc#1214768] Crafted xml can cause global
buffer overflow
- Added file libxml2-CVE-2023-39615.patch
- python-pyasn1
-
- To avoid users of this package having to recompile bytecode
files, change the mtime of any __init__.py. (bsc#1207805)
- python-requests
-
- Add CVE-2023-32681.patch to fix unintended leak of
Proxy-Authorization header (CVE-2023-32681, bsc#1211674)
Upstream commit: gh#psf/requests@74ea7cf7a6a2
- salt
-
- Prevent _pygit2.GitError: error loading known_hosts when $HOME is not set (bsc#1210994)
- Fix ModuleNotFoundError and other issues raised by salt-support module (bsc#1211591)
- tornado: Fix an open redirect in StaticFileHandler (CVE-2023-28370, bsc#1211741)
- Added:
* 3006.0-prevent-_pygit2.giterror-error-loading-known_.patch
* fix-some-issues-detected-in-salt-support-cli-module-.patch
* tornado-fix-an-open-redirect-in-staticfilehandler-cv.patch
- Make master_tops compatible with Salt 3000 and older minions (bsc#1212516) (bsc#1212517)
- Added:
* make-master_tops-compatible-with-salt-3000-and-older.patch
- Avoid failures due transactional_update module not available in Salt 3006.0 (bsc#1211754)
- Added:
* define-__virtualname__-for-transactional_update-modu.patch
- Avoid conflicts with Salt dependencies versions (bsc#1211612)
- Added:
* avoid-conflicts-with-dependencies-versions-bsc-12116.patch
- Update to Salt release version 3006.0 (jsc#PED-4360)
* See release notes: https://docs.saltproject.io/en/latest/topics/releases/3006.0.html
- Add missing patch after rebase to fix collections Mapping issues
- Add python3-looseversion as new dependency for salt
- Add python3-packaging as new dependency for salt
- Allow entrypoint compatibility for "importlib-metadata>=5.0.0" (bsc#1207071)
- Create new salt-tests subpackage containing Salt tests
- Drop conflictive patch dicarded from upstream
- Fix SLS rendering error when Jinja macros are used
- Fix version detection and avoid building and testing failures
- Prevent deadlocks in salt-ssh executions
- Require python3-jmespath runtime dependency (bsc#1209233)
- Added:
* 3005.1-implement-zypper-removeptf-573.patch
* control-the-collection-of-lvm-grains-via-config.patch
* fix-version-detection-and-avoid-building-and-testing.patch
* make-sure-the-file-client-is-destroyed-upon-used.patch
* skip-package-names-without-colon-bsc-1208691-578.patch
* use-rlock-to-avoid-deadlocks-in-salt-ssh.patch
- Modified:
* activate-all-beacons-sources-config-pillar-grains.patch
* add-custom-suse-capabilities-as-grains.patch
* add-environment-variable-to-know-if-yum-is-invoked-f.patch
* add-migrated-state-and-gpg-key-management-functions-.patch
* add-publish_batch-to-clearfuncs-exposed-methods.patch
* add-salt-ssh-support-with-venv-salt-minion-3004-493.patch
* add-sleep-on-exception-handling-on-minion-connection.patch
* add-standalone-configuration-file-for-enabling-packa.patch
* add-support-for-gpgautoimport-539.patch
* allow-vendor-change-option-with-zypper.patch
* async-batch-implementation.patch
* avoid-excessive-syslogging-by-watchdog-cronjob-58.patch
* bsc-1176024-fix-file-directory-user-and-group-owners.patch
* change-the-delimeters-to-prevent-possible-tracebacks.patch
* debian-info_installed-compatibility-50453.patch
* dnfnotify-pkgset-plugin-implementation-3002.2-450.patch
* do-not-load-pip-state-if-there-is-no-3rd-party-depen.patch
* don-t-use-shell-sbin-nologin-in-requisites.patch
* drop-serial-from-event.unpack-in-cli.batch_async.patch
* early-feature-support-config.patch
* enable-passing-a-unix_socket-for-mysql-returners-bsc.patch
* enhance-openscap-module-add-xccdf_eval-call-386.patch
* fix-bsc-1065792.patch
* fix-for-suse-expanded-support-detection.patch
* fix-issue-2068-test.patch
* fix-missing-minion-returns-in-batch-mode-360.patch
* fix-ownership-of-salt-thin-directory-when-using-the-.patch
* fix-regression-with-depending-client.ssh-on-psutil-b.patch
* fix-salt-ssh-opts-poisoning-bsc-1197637-3004-501.patch
* fix-salt.utils.stringutils.to_str-calls-to-make-it-w.patch
* fix-the-regression-for-yumnotify-plugin-456.patch
* fix-traceback.print_exc-calls-for-test_pip_state-432.patch
* fixes-for-python-3.10-502.patch
* include-aliases-in-the-fqdns-grains.patch
* info_installed-works-without-status-attr-now.patch
* let-salt-ssh-use-platform-python-binary-in-rhel8-191.patch
* make-aptpkg.list_repos-compatible-on-enabled-disable.patch
* make-setup.py-script-to-not-require-setuptools-9.1.patch
* pass-the-context-to-pillar-ext-modules.patch
* prevent-affection-of-ssh.opts-with-lazyloader-bsc-11.patch
* prevent-pkg-plugins-errors-on-missing-cookie-path-bs.patch
* prevent-shell-injection-via-pre_flight_script_args-4.patch
* read-repo-info-without-using-interpolation-bsc-11356.patch
* restore-default-behaviour-of-pkg-list-return.patch
* return-the-expected-powerpc-os-arch-bsc-1117995.patch
* revert-fixing-a-use-case-when-multiple-inotify-beaco.patch
* run-salt-api-as-user-salt-bsc-1064520.patch
* run-salt-master-as-dedicated-salt-user.patch
* save-log-to-logfile-with-docker.build.patch
* switch-firewalld-state-to-use-change_interface.patch
* temporary-fix-extend-the-whitelist-of-allowed-comman.patch
* update-target-fix-for-salt-ssh-to-process-targets-li.patch
* use-adler32-algorithm-to-compute-string-checksums.patch
* use-salt-bundle-in-dockermod.patch
* x509-fixes-111.patch
* zypperpkg-ignore-retcode-104-for-search-bsc-1176697-.patch
- Removed:
* 3003.3-do-not-consider-skipped-targets-as-failed-for.patch
* 3003.3-postgresql-json-support-in-pillar-423.patch
* add-amazon-ec2-detection-for-virtual-grains-bsc-1195.patch
* add-missing-ansible-module-functions-to-whitelist-in.patch
* add-rpm_vercmp-python-library-for-version-comparison.patch
* add-support-for-name-pkgs-and-diff_attr-parameters-t.patch
* adds-explicit-type-cast-for-port.patch
* align-amazon-ec2-nitro-grains-with-upstream-pr-bsc-1.patch
* backport-syndic-auth-fixes.patch
* batch.py-avoid-exception-when-minion-does-not-respon.patch
* check-if-dpkgnotify-is-executable-bsc-1186674-376.patch
* clarify-pkg.installed-pkg_verify-documentation.patch
* detect-module.run-syntax.patch
* do-not-crash-when-unexpected-cmd-output-at-listing-p.patch
* enhance-logging-when-inotify-beacon-is-missing-pyino.patch
* fix-62092-catch-zmq.error.zmqerror-to-set-hwm-for-zm.patch
* fix-crash-when-calling-manage.not_alive-runners.patch
* fixes-pkg.version_cmp-on-openeuler-systems-and-a-few.patch
* fix-exception-in-yumpkg.remove-for-not-installed-pac.patch
* fix-for-cve-2022-22967-bsc-1200566.patch
* fix-inspector-module-export-function-bsc-1097531-481.patch
* fix-ip6_interface-grain-to-not-leak-secondary-ipv4-a.patch
* fix-issues-with-salt-ssh-s-extra-filerefs.patch
* fix-jinja2-contextfuntion-base-on-version-bsc-119874.patch
* fix-multiple-security-issues-bsc-1197417.patch
* fix-salt-call-event.send-call-with-grains-and-pillar.patch
* fix-salt.states.file.managed-for-follow_symlinks-tru.patch
* fix-state.apply-in-test-mode-with-file-state-module-.patch
* fix-test_ipc-unit-tests.patch
* fix-the-regression-in-schedule-module-releasded-in-3.patch
* fix-wrong-test_mod_del_repo_multiline_values-test-af.patch
* fixes-56144-to-enable-hotadd-profile-support.patch
* fopen-workaround-bad-buffering-for-binary-mode-563.patch
* force-zyppnotify-to-prefer-packages.db-than-packages.patch
* ignore-erros-on-reading-license-files-with-dpkg_lowp.patch
* ignore-extend-declarations-from-excluded-sls-files.patch
* ignore-non-utf8-characters-while-reading-files-with-.patch
* implementation-of-held-unheld-functions-for-state-pk.patch
* implementation-of-suse_ip-execution-module-bsc-10999.patch
* improvements-on-ansiblegate-module-354.patch
* include-stdout-in-error-message-for-zypperpkg-559.patch
* make-pass-renderer-configurable-other-fixes-532.patch
* make-sure-saltcacheloader-use-correct-fileclient-519.patch
* mock-ip_addrs-in-utils-minions.py-unit-test-443.patch
* normalize-package-names-once-with-pkg.installed-remo.patch
* notify-beacon-for-debian-ubuntu-systems-347.patch
* refactor-and-improvements-for-transactional-updates-.patch
* retry-if-rpm-lock-is-temporarily-unavailable-547.patch
* set-default-target-for-pip-from-venv_pip_target-envi.patch
* state.apply-don-t-check-for-cached-pillar-errors.patch
* state.orchestrate_single-does-not-pass-pillar-none-4.patch
* support-transactional-systems-microos.patch
* wipe-notify_socket-from-env-in-cmdmod-bsc-1193357-30.patch
- spacewalk-certs-tools
-
- version 4.2.20-1
* Update translations
- rsync
-
- Drop rsync-fix-external-compression.patch, rsync-iconv-segfault.patch
- Fix --delay-updates never updates after interruption [bsc#1204538]
* Added patch rsync-fix-delay-updates-never-updates-after-interruption.patch
- rsyslog
-
- fix segfaults in modExit() of imklog.c (bsc#1211757)
* add 0001-imklog-fix-invalid-memory-adressing-could-cause-abor.patch
- fix removal of imfile state files (bsc#1213212)
* add 0001-fixing-the-deleteStateOnFileDelete-option.patch
- runc
-
- Update to runc v1.1.7. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.7>.
- Update runc.keyring to upstream version.
- Update to runc v1.1.6. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.6>.
- samba
-
- Move libcluster-samba4.so from samba-libs to samba-client-libs;
(bsc#1213940);
- secure channel faulty since Windows 10/11 update 07/2023;
(bso#15418); (bsc#1213384).
- CVE-2022-2127: lm_resp_len not checked properly in
winbindd_pam_auth_crap_send; (bso#15072); (bsc#1213174).
- CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite
Loop Denial-of-Service Vulnerability; (bso#15340); (bsc#1213173).
- CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type
Confusion Denial-of-Service Vulnerability; (bso#15341); (bsc#1213172).
- CVE-2023-34968: Spotlight server-side Share Path Disclosure;
(bso#15388); (bsc#1213171).
- 000release-packages:sle-module-basesystem-release
-
n/a
- 000release-packages:sle-module-public-cloud-release
-
n/a
- 000release-packages:sle-module-server-applications-release
-
n/a
- 000product:sle-module-suse-manager-proxy-release
-
n/a
- spacewalk-backend
-
- version 4.2.29-1
* Use a constant to get the product name in python code rather than reading rhn.conf (bsc#1212943)
* Only show missing /root/.curlrc error with log_level = 5 (bsc#1212507)
- version 4.2.28-1
* Filter CLM modular packages using release strings (bsc#1207814)
* Add package details to reposync error logging
- spacewalk-web
-
- version 4.2.36-1
* Update the translations from weblate
* Fix VHM CPU and RAM display when 0 (bsc#1175823)
* Fix parsing error when showing notification message details (bsc#1211469)
- version 4.2.35-1
* Show loading indicator on formula details pages (bsc#1179747)
* Increase datetimepicker font sizes (bsc#1210437)
* Fix an issue where the datetimepicker shows wrong date (bsc#1209231)
- spacewalk-proxy-installer
-
- version 4.2.12-1
* Fix squid refresh_pattern for "venv-enabled-*.txt" files to avoid
serving outdated version of the file (bsc#1211956)
- spacewalk-ssl-cert-check
-
- version 4.2.3-1
* Update translations
- supportutils-plugin-suse-public-cloud
-
- Update to version 1.0.8 (bsc#1213951)
+ Capture CSP billing adapter config and log (issue#13)
+ Accept upper case Amazon string in DMI table (issue#12)
- susemanager-build-keys
-
- Version 15.3.9
* add SUSE Liberty v2 key (bsc#1212096)
+ Added: RPM-GPG-KEY-SUSE-Liberty-v2
* add Debian 12 (bookworm) GPG keys (bsc#1212363)
+ Added:
debian-archive-key-12-security-254CF3B5AEC0A8F0.asc
debian-archive-key-12-B7C5D7D6350947F8.asc
debian-release-12-F8D2585B8783D481.asc
* add new 4096 bit RSA package hub key
+ Added: packagehub-gpg-pubkey-8A49EB0325DB7AE0.asc
- Version 15.3.8
* fix installation of sle15 RSA reserve build key
* add new 4096 bit RSA openSUSE build key gpg-pubkey-29b700a4.asc
- vim
-
- Updated to version 9.0 with patch level 1572, fixes the following security problems
* Fixing bsc#1210996 (CVE-2023-2426) - VUL-0: CVE-2023-2426: vim: Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 9.0.1499.
* Fixing bsc#1211256 (CVE-2023-2609) - VUL-1: CVE-2023-2609: vim: NULL Pointer Dereference prior to 9.0.1531
* Fixing bsc#1211257 (CVE-2023-2610) - VUL-1: CVE-2023-2610: vim: Integer Overflow or Wraparound prior to 9.0.1532
- for the complete list of changes see
https://github.com/vim/vim/compare/v9.0.1443...v9.0.1572
- Fixing bsc#1211461 - L3: vim "eats" first character from prompt in xterm
* Add: reorder-exit-raw-mode.patch
* Swaps out_str_t_TE() and cursor_on() during exit to prevent missing characters in xterm prompt on exit.
- wicked
-
- ifconfig: fix arp notify loop (boo#1212806) and burst sending
[+ 0001-fix_arp_notify_loop_and_burst_sending.patch]
- update to version 0.6.73
- spec: cleanup artefacts and fix some rpmlint warnings
- arp: allow verify/notify counter and interval configuration
- arp: handle ENOBUFS sending errors (bsc#1203300)
- extensions: improve environment variable handling
- firmware: refactor firmware extension definition
- firmware: enable, disable and revert cli commands
- code cleanup: fix memory leaks, add array/list utils
- wireless: Ignore WIRELESS_EAP_AUTH within TLS (bsc#1211026)
- cleanup /var/run leftovers in extension scripts (bsc#1194557)
- json: output formatting improvements and Unicode support
- bond: workaround 6.1 kernel enslave regression (boo#1206674)
- update to version 0.6.72
- client: add `wicked firmware extensions|interfaces|enable|disable`
command to improve `ibft`,`nbft`,`redfish` firmware extension and
interface handling.
- client: improve error handling in netif firmware discovery
extension execution and extension definition overrides in
the wicked-config.
- nanny: fix use-after-free in debug mode (bsc#1206447)
- spec: replace transitional `%usrmerged` macro with regular
version check (boo#1206798)
- client: improve to show `no-carrier` in ifstatus output
- linux: cleanup inclusions and update uapi header to 6.0
- ethtool: link mode nwords cleanup and new advertise mode names
- update to version 0.6.71
- dhcp: enable raw-ip support for wwan-qmi interfaces (jsc#PED-90)
- schema: fix the ip rule to-selector to handle network prefixes
- spec: Add /etc/sysconfig/network to file list, no longer in the
default list of a cleaned up filesystem package on tumbleweed
(https://github.com/openSUSE/wicked/pull/939).
- xen
-
- Update to Xen 4.14.6 bug fix release (bsc#1027519)
xen-4.14.6-testing-src.tar.bz2
* No upstream changelog found in sources or webpage
- bsc#1214082 - VUL-0: CVE-2023-20569: xen: x86/AMD: Speculative
Return Stack Overflow (XSA-434)
- bsc#1214083 - VUL-0: CVE-2022-40982: xen: x86/Intel: Gather Data
Sampling (XSA-435)
- Dropped patches contained in new tarball
62a1e594-x86-clean-up-_get_page_type.patch
62a1e5b0-x86-ABAC-race-in-_get_page_type.patch
62a1e5d2-x86-introduce-_PAGE_-for-mem-types.patch
62a1e5f0-x86-dont-change-cacheability-of-directmap.patch
62a1e60e-x86-split-cache_flush-out-of-cache_writeback.patch
62a1e62b-x86-AMD-work-around-CLFLUSH-ordering.patch
62a1e649-x86-track-and-flush-non-coherent.patch
62ab0fab-x86-spec-ctrl-VERW-flushing-runtime-cond.patch
62ab0fac-x86-spec-ctrl-enum-for-MMIO-Stale-Data.patch
62ab0fad-x86-spec-ctrl-add-unpriv-mmio.patch
62bdd840-x86-spec-ctrl-only-adjust-idle-with-legacy-IBRS.patch
62bdd841-x86-spec-ctrl-knobs-for-STIBP-and-PSFD.patch
62cc31ee-cmdline-extend-parse_boolean.patch
62cc31ef-x86-spec-ctrl-fine-grained-cmdline-subopts.patch
62cd91d0-x86-spec-ctrl-rework-context-switching.patch
62cd91d1-x86-spec-ctrl-rename-SCF_ist_wrmsr.patch
62cd91d2-x86-spec-ctrl-rename-opt_ibpb.patch
62cd91d3-x86-spec-ctrl-rework-SPEC_CTRL_ENTRY_FROM_INTR_IST.patch
62cd91d4-x86-spec-ctrl-IBPB-on-entry.patch
62cd91d5-x86-cpuid-BTC_NO-enum.patch
62cd91d6-x86-spec-ctrl-enable-Zen2-chickenbit.patch
62cd91d7-x86-spec-ctrl-mitigate-Branch-Type-Confusion.patch
62dfe40a-x86-mm-gpt-TLB-flush-condition.patch
62f27ebd-x86-expose-more-MSR_ARCH_CAPS-to-hwdom.patch
62f51e16-x86-spec-ctrl-enum-PBRSB_NO.patch
62f523da-AMD-setup_force_cpu_cap-BSP-only.patch
63455f82-Arm-P2M-prevent-adding-mapping-when-dying.patch
63455fa8-Arm-P2M-preempt-when-freeing-intermediate.patch
63455fc3-x86-p2m_teardown-allow-skip-root-pt-removal.patch
63455fe4-x86-HAP-monitor-table-error-handling.patch
63456000-x86-tolerate-sh_set_toplevel_shadow-failure.patch
6345601d-x86-tolerate-shadow_prealloc-failure.patch
6345603a-x86-P2M-refuse-new-alloc-for-dying.patch
63456057-x86-P2M-truly-free-paging-pool-for-dying.patch
63456075-x86-P2M-free-paging-pool-preemptively.patch
63456090-x86-p2m_teardown-preemption.patch
63456175-libxl-per-arch-extra-default-paging-memory.patch
63456177-Arm-construct-P2M-pool-for-guests.patch
6345617a-Arm-XEN_DOMCTL_shadow_op.patch
6345617c-Arm-take-P2M-pages-P2M-pool.patch
634561aa-gnttab-locking-on-transitive-copy-error-path.patch
6351095c-Arm-rework-p2m_init.patch
6351096a-Arm-P2M-populate-pages-for-GICv2-mapping.patch
63569723-x86-shadow-replace-bogus-assertions.patch
636a9130-x86-spec-ctrl-Enumeration-for-IBPB_RET.patch
636a9130-x86-spec-ctrl-Mitigate-IBPB-not-flushing-the-RSB-RAS.patch
xsa326-01.patch
xsa326-02.patch
xsa326-03.patch
xsa326-04.patch
xsa326-05.patch
xsa326-06.patch
xsa326-07.patch
xsa326-08.patch
xsa326-09.patch
xsa326-10.patch
xsa326-11.patch
xsa326-12.patch
xsa326-13.patch
xsa326-14.patch
xsa326-15.patch
xsa326-16.patch
xsa403.patch
xsa414.patch
xsa415.patch
xsa416.patch
xsa417.patch
xsa418-01.patch
xsa418-02.patch
xsa418-03.patch
xsa418-04.patch
xsa418-05.patch
xsa418-06.patch
xsa419-01.patch
xsa419-02.patch
xsa419-03.patch
xsa421-01.patch
xsa421-02.patch
xsa427.patch
xsa428-1.patch
xsa428-2.patch
xsa429.patch
xsa433.patch
- Handle potential off-by-one errors in libxc-sr-xg_sr_bitmap.patch
A bit is an index in bitmap, while bits is the allocated size
of the bitmap.
- bsc#1213616 - VUL-0: CVE-2023-20593: xen: x86/AMD: Zenbleed
(XSA-433)
xsa433.patch
- Updated fix for XSA-417 (bsc#1204489)
64ba268b-xenstore-fix-XSA-417.patch
- yast2-network
-
- Fix typo when writing the wireless channel (bsc#1212976)
- 4.3.88
- bsc#1211431
- Do not crash installation when storing vlan configuration into
NetworkManager
- 4.3.87
- yast2-pkg-bindings
-
- Pkg.TargetInitializeOptions() - added a new option for
rebuilding the RPM database (--rebuilddb) (bsc#1209565)
- 4.3.12
- yast2-update
-
- Rebuild the RPM database during upgrade (--rebuilddb) (bsc#1209565)
- 4.3.5
- zypper
-
- Changed location of bash-complication (bsc#1213854).
This changes the location of zypper.sh bash completion script
from /usr/share/bash-completion/completions/.
- version 1.14.63
- man: revised explanation of --force-resolution (bsc#1213557)
Point out that the option not only allows to remove packages but
may also violate any other active policy if there is no other way
to resolve the job.
- Print summary hint if policies were violated due to
- -force-resolution (bsc#1213557)
- BuildRequires: libzypp-devel >= 17.31.16 (for zypp-tui)
- version 1.14.62
- targetos: Add an error note if XPath:/product/register/target
is not defined in /etc/products.d/baseproduct (bsc#1211261)
- targetos: Update help and man page (bsc#1211261)
- version 1.14.61